Doing something with OS fingerprint?

Jochen Bern Jochen.Bern at
Mon Feb 22 20:54:06 AEDT 2021

On 21.02.21 06:37, Stef Bon wrote:
> Hi,
> in the iptables subsystem of Linux it's possible to get the
> fingerprint of the peer OS.
> See:
> man iptables-extensions
> under osf
> If this information is available it's possible to adjust behaviour (a
> little) to meet the peer's flaws and maybe bugs. Have you ever thought
> about that?

My - admittedly first ever - thoughts on that:

-- Doesn't OpenSSH already parse the peer's Hello String for that
-- (The possibility of SSH software other than the OS default being
   installed has already been mentioned)
-- osf can also differ from defaults (own fingerprint files being
   loaded, --ttl param etc.)
-- Just because the kernel('s iptables implementation) has that info
   doesn't mean that ssh(d) can easily get it
-- Not to forget non-Linux systems ...

Jochen Bern

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list