I would like to see an option in the configuration files to fully remove product and version information from the server's protocol. It is part of my security concept to NOT show anything like that to outside users.
we cannot remove this, because it causes interoperability problems with older software (this breaks bug-detection). we might reconsider this if we've fixed all major protocol bugs (e.g. when the protocol is stable).
Okay, sounds reasonable.
Created attachment 523 [details] Patch to add configurable version information This patch provides the following new fields in sshd_config: ProtoVersionMajor ProtoVersionMinor SoftwareVersion VersionComments The first three are designed to allow (crazy) administrators to override the compiled defaults for the software. The last one is designed to provide distribution maintainers the ability to tack on additional version information, if they so choose, instead of patching SSH_VERSION.
Sounds great! Any chance that this will be included in the next OpenSSH release?
Not a chance in hell. Read comment #1 Protomajor and protominor are useless buttons, they only allow you to break things.
Do you see a problem with SoftwareVersion or VersionComments? I still don't see any harm in just offering all four as configurable options. Only people who really wanted to break stuff would use them.
Also, I might add, those four options are _only_ for the banner. They are not used when examining the client's version information.
4 more useless options, are you kidding? :) ProtoVersionMajor? ProtoVersionMinor?
When there are no buggy versions left *COUGH, ya right* I'd rather see a simple "HideVersion" or "FakeVersion".. Instead of some insane four option mess. Other software packages don't need crap like this. Why are you pushing for it here?
Created attachment 524 [details] Allow software version and version comments to be configurable Okay, here's a reduced patch that just gives the SoftwareVersion and VersionComments config items. I still think it'd be cool to have major and minor definable too. Anyway, the reason for this is to get Debian to quit putting their full package version information on my SSH banner. The patch openssh (and won't change it) to include this in SSH_VERSION, and I think a better option is to make this configurable.
Also, I made them separate options so that ones you didn't want to override (like, say, the major, minor, and software) could be left alone across upgrades. Let's say I have just "VersionComments" in my sshd_config, when I upgrade to OpenSSH 3.8.1p1, the software version reported by the banner can change. I think this is saner than having one big full-banner replacement that has to be changed when the software changes. As for other software: this kind of thing exists for sendmail, apache, etc. I don't think it's unreasonable.
please add options so i can change the encoding of messages types, as well. see ssh2.h and ssh1.h
FYI: there is already an option for protocol-major and minor. it's called Protocol!
message types: what? "Protocol" option: I wanted to be able to _lie_ about what was supported. Will you accept my 2nd patch?
Created attachment 866 [details] SuppressVersionString = (yes/no) SuppressVersionString = (yes/no) Still allows the sshd to spit out SSH protocol version but hides the implementation name and version string. May or may not break old clients but I thought I would submit it anyway.
*** Bug 1019 has been marked as a duplicate of this bug. ***
I can't see us ever implementing this. See comment #1, but it is 2008 and we are still finding broken implementations that need compat tweaks.
Mass update RESOLVED->CLOSED after release of openssh-5.1
> Mass update RESOLVED->CLOSED after release of openssh-5.1 Does this mean you are going to fix it soon? May I suggest give user a freedom to choose similar to apache: ServerTokens {Full|Minimal|Prod} which would generate something like: Full: SSH-2.0-OpenSSH_5.1 Minimal: SSH-2.0 Prod: SSH-2.0-OpenSSH or whatever, which would not case any interoperability problems mentioned in comment #1 and yet, could help in hardening openssh server?
I'd like to reopen this. More than ten years after the initial debate, the world is a different one. After Snowden, we know that nation-state actors at the same time kill people based on metadata and targed Angry Birds. So we should do all we can to minimize revealing metadata by default, or at least have the option to do so. Over in Debian, there's a similar Bug [0], which states that this version string "is used as a selector in NSA's XKEYSCORE queries in conjunction with the metadata database of potentially exploitable services (BLEAKINQUIRY) by the NSA group 'S31176' for targeted exploit and compromise [1][2]". I respect the argument, that it might be "necessary to use the version for protocol compatibility tweaks". So keep it in, and leave it enabled by default. But I see no reason why an operator if an SSHd should not be able to disable it, if (s)he is confident that his/her own clients can or must handle it. (Afterall, there are many config options which can lock out lots of clients - see Ciphers/MACs and mobile clients.) So please reconsider an optional setting to disable (or edit) the remote software version string. 0. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786987#50 1. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html 2. http://www.spiegel.de/media/media-35515.pdf