Re: SSHD revelaing too much information.

From: Makoto MATSUSHITA (matusita@jp.FreeBSD.org)
Date: 03/27/01


From: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
To: freebsd-security@FreeBSD.ORG
Date: Tue, 27 Mar 2001 22:09:40 +0900


Trim To: field...

cjclark> The 'green@FreeBSD.org 20010321' is too much information. The
cjclark> 'OpenSSH_2.3.0' part is required for the protocol.

What do you think about NetBSD? Their ssh implementation, based on
OpenSSH 2.5.2 but hacked by their own, uses

        OpenSSH_2.5.2 NetBSD_Secure_Shell-20010319

as a version string. Maybe it's also too much information, since
NetBSD Secure Shell is (maybe) only available for NetBSD, and it uses
timestamp (20010319). If you doubt, check:
<URL:http://www.freebsd.org/cgi/cvsweb.cgi/basesrc/crypto/dist/ssh/version.h?cvsroot=netbsd>

It is natual that the first word of version string is for and only for
OpenSSH implementation and/or the ssh protocol itself (I dunno it's
true or not), and rest of version strings are for identifying the
OpenSSH variants (note that our ssh implementation is *not* just a
security-fixed OpenSSH 2.3.0, but have features which does not exist
in the original OpenSSH by OpenBSD).

-- -
Makoto `MAR' MATSUSHITA

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message