[ale] SSHD reports version info!?
Ronald Chmara
ron at Opus1.COM
Thu Feb 19 03:48:55 EST 2004
On Feb 19, 2004, at 2:39 AM, Kevin Krumwiede wrote:
> (I posted this to the debian-user list but it never showed up.)
>
> When I telnet to port 22 on my 3.0r2 server, I see this:
>
> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
>
> Isn't that considered sensitive information?
Not really. Most services have "signatures", as do OS's. If you can't
determine it blatantly, there's always response patterns. (See
"security through obscurity").
> Why advertise it so
> blatantly?
Partly so the program can login properly (use proper ssh versions). As
far as reporting the OS, *shrug*.
> Is there any way turn this banner off?
Haven't seen this one in a config file (there is a Banner keyword, but
it's different), but it should be easy enough to edit the source to
limit it down. Change it and post a diff to the openssh team, with an
explanation, I guess...
-Bop
More information about the Ale
mailing list