[Bug 2971] New: Prevent OpenSSH from advertising its version number
Yegor Ievlev
koops1997 at gmail.com
Wed Feb 20 18:56:12 AEDT 2019
Another reason why this may be useful is prevention of fingerprinting
of OpenSSH client by the server or an outside observer.
On Wed, Feb 20, 2019 at 10:06 AM Loganaden Velvindron
<loganaden at gmail.com> wrote:
>
> Also, a lot of measurement/research on deployment of OpenSSH rely on
> version advertising for their statistics. It's going to be harder to know
> impact of deprecation of certain legacy features without statistics.
>
> I also agree with Mark here.
>
>
>
> On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb at juniper.net> wrote:
>
> > Nagesh writes:
> >
> > > Cyber security team has recommended to disable the OpenSSH software
> > > version advertising when the connection has been established.
> >
> > With respect, your cyber security team are foolish if they think that
> > obscurity of version will stop any bad actors from attempting to break
> > into OpenSSH in any way possible. The only folks hurt by supressing the
> > version advertising are the other implementations of the Secure Shell.
> >
> > Please DO NOT allow the supression of the OpenSSH version number.
> >
> > There are too just many cases where both OpenSSH interoperating with
> > itself as well as other SSH implementations have needed this version
> > number to properly deal with bugs in the code via negitations.
> >
> > This bug should be closed with WONTFIX.
> >
> > Thank you,
> > -- Mark
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list