[Bug 2971] New: Prevent OpenSSH from advertising its version number

Stuart Henderson stu at spacehopper.org
Wed Feb 20 22:18:30 AEDT 2019


On 2019/02/20 10:59, Jochen Bern wrote:
> On 02/20/2019 07:51 AM, Mark D. Baushke wrote:
> > There are too just many cases where both OpenSSH interoperating with
> > itself as well as other SSH implementations have needed this version
> > number to properly deal with bugs in the code via negitations.
> 
> FWIW, and without dismissing the possibility of fingerprinting a server
> in other ways, the fact that clients that *can* pass authentication have
> a need to know the server's version number (and vice versa) does not
> necessarily imply that that information needs to be passed in the
> *public* part of the protocol ...

Some of the compat code is pre-authentication. It is required to have the
version number early.



More information about the openssh-unix-dev mailing list