Re: [Bug 2971] New: Prevent OpenSSH from advertising its version number

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Also, a lot of measurement/research on deployment of OpenSSH rely on
version advertising for their statistics. It's going to be harder to know
impact of deprecation of certain legacy features without statistics.

I also agree with Mark here.



On Wed, Feb 20, 2019 at 10:57 AM Mark D. Baushke <mdb@xxxxxxxxxxx> wrote:

> Nagesh writes:
>
> > Cyber security team has recommended to disable the OpenSSH software
> > version advertising when the connection has been established.
>
> With respect, your cyber security team are foolish if they think that
> obscurity of version will stop any bad actors from attempting to break
> into OpenSSH in any way possible. The only folks hurt by supressing the
> version advertising are the other implementations of the Secure Shell.
>
> Please DO NOT allow the supression of the OpenSSH version number.
>
> There are too just many cases where both OpenSSH interoperating with
> itself as well as other SSH implementations have needed this version
> number to properly deal with bugs in the code via negitations.
>
> This bug should be closed with WONTFIX.
>
>        Thank you,
>         -- Mark
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux