9096tyz opened a new issue, #894:
URL: https://github.com/apache/mina-sshd/issues/894
Version
2.14.0
Bug description
Nmap can scan the version number of Apache mina sshd. Attackers may obtain
the version number and find the corresponding vulnerability to attack the
system.
Actual behavior
Nmap can scan the version number of Apache mina sshd. Attackers may obtain
the version number and find the corresponding vulnerability to attack the
system.
Expected behavior
We hope that open source software will give us a way to hide version
information.
Relevant log output
For details about the problem symptom and code segment, see the Other
information sections.We want to modify it, but we don't have a public method to
modify it.
1、org/apache/sshd/common/session/helpers/SessionHelper.java :
protected String resolveIdentificationString(String configPropName) {
FactoryManager manager = getFactoryManager();
String ident = manager.getString(configPropName);
return SessionContext.DEFAULT_SSH_VERSION_PREFIX +
(GenericUtils.isEmpty(ident) ? manager.getVersion() : ident);
}
protected ,we can not change it。
2、org/apache/sshd/client/session/AbstractClientSession.java:
protected IoWriteFuture sendClientIdentification() throws Exception {
clientVersion =
resolveIdentificationString(CoreModuleProperties.CLIENT_IDENTIFICATION.getName());
// Note: we intentionally use an unmodifiable list in order to
enforce the fact that client cannot send header lines
signalSendIdentification(clientVersion, Collections.emptyList());
return sendIdentification(clientVersion, Collections.emptyList());
}
The clientVersion is protected。
The following modifications do not take effect.
[tomaswolf](https://github.com/tomaswolf)
[on Jun 30,
2024](https://github.com/apache/mina-sshd/issues/520#issuecomment-2198601067)
Member
Set the property CoreModuleProperties.CLIENT_IDENTIFICATION (or
CoreModuleProperties.SERVER_IDENTIFICATIONfor a server) to whatever
identification you want to use. (Set it on the SshClient or SshServer.) Note
that the value should a valid identification string, without the "SSH-2.0-"
prefix.
Besides, even if methods are protected, you can still override them.
Subclass ClientSessionImpl or ServerSessionImpl and override the method. Then
create SessionFactory that creates instances of your subclass, and set that
factory on the SshClient or SshServer.
But for the identification string, just setting the property is sufficient
and simpler.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
