Hiding SSH Host Banner Doesnt work

Mark D. Baushke mdb at juniper.net
Wed Jun 17 05:34:25 AEST 2020


Hi bo0od,

bo0od <bo0od at riseup.net> writes:

> maybe its useful but on the other hand its bad decision if user want to
> hide it in order to avoid bots attacks for vulnerable versions (for
> surely it should be left not updated for long time BUT still optional
> setting is preferable for the user to choose hide it or not)

Security through obscurity is not security. It is security theatre.

Even if a lot of OS distirbutions patch the security problems with
secure shell and do NOT update the version string being passed.

> Default can be show version , but at least provide easy option to hide.

The option exists, recompile.

Or, pay someone to support the option for you and have them provide you
the binaries.

There have been MANY interoperability issues across Secure Shell
implementations and releases of code such that the exact version
information is HIGHLY desirable to avoid interoperability problems. As
has been suggested, for OpenSSH look in compat.c. The same is true for
OpenSSH releases where you need to look at the of the other secure shell
vendors source implementations.

For myself, I do NOT want to see the feature disappear just because a
system administrator wants to obfuscate the version of secure shell they
are using on their systems and feel doing so in a config file is the
best thing to do.

It is always better to keep up-to-date with the latest release whenever
possible.

Note: I expect to see a fair amount of breakage when the mandatory to
implement options are no longer enabled by default:

  REQUIRED [RFC4253]
    * ssh-dss (with 1024-bit keys and sha1 hashes)
    * diffie-hellpman-group1-sha1
    * diffie-hellman-group14-sha1
    * 3des-cbc
    * hmac-sha1

  RECOMMENDED [RFC4253]
    * ssh-rsa (with sha1 hashes)                    
    * aes128-cbc
    * hmac-sha1-96

I expect to see a LOT of implementations not having ssh-dss,
diffie-hellpman-group1-sha1, or 3des-cbc enabled by default in the near
future.

	Be safe, stay healthy,
	-- Mark


More information about the openssh-unix-dev mailing list