Re: SSHD revelaing too much information.

From: Makoto MATSUSHITA (
Date: 03/27/01

From: Makoto MATSUSHITA <>
To: freebsd-security@FreeBSD.ORG
Date: Tue, 27 Mar 2001 22:09:40 +0900

Trim To: field...

cjclark> The ' 20010321' is too much information. The
cjclark> 'OpenSSH_2.3.0' part is required for the protocol.

What do you think about NetBSD? Their ssh implementation, based on
OpenSSH 2.5.2 but hacked by their own, uses

        OpenSSH_2.5.2 NetBSD_Secure_Shell-20010319

as a version string. Maybe it's also too much information, since
NetBSD Secure Shell is (maybe) only available for NetBSD, and it uses
timestamp (20010319). If you doubt, check:

It is natual that the first word of version string is for and only for
OpenSSH implementation and/or the ssh protocol itself (I dunno it's
true or not), and rest of version strings are for identifying the
OpenSSH variants (note that our ssh implementation is *not* just a
security-fixed OpenSSH 2.3.0, but have features which does not exist
in the original OpenSSH by OpenBSD).

-- -

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message