[SUSPECTED SPAM] Filtering incoming connections on the basis of the ID string

Damien Miller djm at mindrot.org
Mon May 31 11:07:06 AEST 2021

On Sun, 30 May 2021, Luveh Keraph wrote:

> I would be interested to filter incoming connections depending on the exact
> nature of the ID string supplied by the customer.  RFC 4253 specifies that
> that ID string should conform to the following structure:
>       SSH-protoversion-softwareversion SP comments CR LF
> I would like to be able to selectively allow incoming connections to
> proceed (or terminate them there and then) when the value of
> softwareversion (or even comments) matches some predetermined pattern. Is
> this something that OpenSSH servers can do?

No, but it probably wouldn't be too hard to implement a "Match clientversion"

What would be the purpose of this filtering? If you're considering it to
block password guessers, and such filtering becomes popular, then they
are highly likely to change their version strings.

IMO it's generally better to disallow password authentication, except from
trusted sources.


More information about the openssh-unix-dev mailing list