turn off version reporting?
Devin Lee Drew
Is it possible to prevent sshd from reporting its excact version number
when port 22 is telneted to? I am building portable openssh without a
problem. Can I modify some piece of the source to do this? There is no
mention of it in man pages or sshd_config, nor is there an option for it
in configure --help befure building.
$telnet mymachine 22
Connected to mymachine
Escape character is '^]'.
SSH-1.99-OpenSSH_2.5.2p2
tia
Devin
jose
> Is it possible to prevent sshd from reporting its excact version number
> when port 22 is telneted to? I am building portable openssh without a
> problem. Can I modify some piece of the source to do this? There is no
> mention of it in man pages or sshd_config, nor is there an option for it
> in configure --help befure building.
yes. hack the source.
> $telnet mymachine 22
> Connected to mymachine
> Escape character is '^]'.
> SSH-1.99-OpenSSH_2.5.2p2
all that would be needed would be the first part,
SSH-1.99
for protocol compatability. the second part is a comment.
jose nazario jo...@cwru.edu
Richard Silverman
Jose> Devin Lee Drew wrote:
>> Is it possible to prevent sshd from reporting its excact version
>> number when port 22 is telneted to? I am building portable openssh
>> without a problem. Can I modify some piece of the source to do
>> this? There is no mention of it in man pages or sshd_config, nor is
>> there an option for it in configure --help befure building.
Jose> yes. hack the source.
>> $telnet mymachine 22 Connected to mymachine Escape character is
>> '^]'. SSH-1.99-OpenSSH_2.5.2p2
Jose> all that would be needed would be the first part,
Jose> SSH-1.99
Jose> for protocol compatability. the second part is a comment.
Note, however, that many clients use the comment to recognize particular
server implementation and work around known bugs and issues, so you may
cause yourself problems by doing this.
--
Richard Silverman
sl...@shore.net
Devin Lee Drew
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
it seems to match SSH-1.99-OpenSSH_2.5.2p2 perfectly.
I think that I want to change it to read
snprintf(buf, sizeof buf, "SSH-%d.%d\n",major,minor);
but I have no experience with C syntax / debugging. It would be great if
someone could say yea or nay and Ill run with it.
Devin
Devin Lee Drew
I think that the clients also send their version numbers to sshd. I hope to
not break sshd's ability to figure out the client version. My hope is that
the SSH-1.99 will be enough for the clients to start talking as Jose implied.
Well see what happens....
Devin
Richard Silverman
Devin> I think that the clients also send their version numbers to
Devin> sshd.
They do.
Devin> I hope to not break sshd's ability to figure out the client
Devin> version.
That shouldn't be a problem.
Devin> My hope is that the SSH-1.99 will be enough for the clients to
Devin> start talking as Jose implied.
It is, at least according to the protocol.
--
Richard Silverman
sl...@shore.net
Devin Lee Drew
You can define SSH_VERSION in the file version.h from the OpenSSH 2.5.2
source. Whatever you put there is what comes after SSH-1.99- in the initial
negotiation. Negotiation fails if you leave it blank "" but "2" or "pre_beta"
work for me. I am connecting to this source built sshd using the OpenSSH
clients, ssh.com's v2.4 windows ssh/sftp client, and the old NiftyTelnetSSH
for the Mac.
Thanks for your help Richard and Jose,
Devin
Markus Friedl
>when port 22 is telneted to?
why?
edit version.h, but only if you don't care
about interoperating with other implementations.
older implementations of ssh protocol v2
contain several bug (including openssh 2.5.2)
and the version string is used for
detecting and emulating these bugs.
-m
Mike O'Connor
Markus Friedl <msfr...@cip.informatik.uni-erlangen.de> wrote:
:>Is it possible to prevent sshd from reporting its excact version number
Note that a script kiddie isn't generally gonna look at the banner to
decide whether or not to run some attack script against your system.
Instead, they'll just run the attack script against your system. IMHO,
if the version information will actually prove to be useful, taken into
account by the client and server, then it makes sense to not try and
hide it. Given the relative dearth of SSH servers, it's easy enough to
figure out what implementation is being used by looking for version-
specific quirks in an extended protocol exchange.
--
Michael J. O'Connor | WWW: http://dojo.mi.org/~mjo/ | Email: m...@dojo.mi.org
Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248-427-4481
Theo de Raadt
> In article <9clvh5$b91$1...@rznews2.rrze.uni-erlangen.de>,
> Markus Friedl <msfr...@cip.informatik.uni-erlangen.de> wrote:
> :>Is it possible to prevent sshd from reporting its excact version number
> :>when port 22 is telneted to?
> :
> :why?
> :
> :edit version.h, but only if you don't care
> :about interoperating with other implementations.
> :
> :older implementations of ssh protocol v2
> :contain several bug (including openssh 2.5.2)
> :and the version string is used for
> :detecting and emulating these bugs.
>
> Note that a script kiddie isn't generally gonna look at the banner to
> decide whether or not to run some attack script against your system.
> Instead, they'll just run the attack script against your system. IMHO,
> if the version information will actually prove to be useful, taken into
> account by the client and server, then it makes sense to not try and
> hide it. Given the relative dearth of SSH servers, it's easy enough to
> figure out what implementation is being used by looking for version-
> specific quirks in an extended protocol exchange.
If I see one more note about turning off the SSH version string, I am going
to scream.
IT IS NECCESSARY.
--
This space not left unintentionally unblank. der...@openbsd.org
Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions. OpenBSD is Free Software.