Matthew Seaman wrote:
On Mon, Mar 29, 2004 at 10:32:42AM +0100, Danny Woods wrote:you can also change the version sshd displays by editing carefuly the
binary (vi `which sshd`) directly with a suitable editor, you can just
replace 3.6.1p1 with 3.8.1p1 there and restart sshd (killall -HUP sshd).
But my opinion is that will just give you a false state of security, as
a script kiddie could just ./run all of his exploits not looking at the
version of your sshd. A good thing is to bind sshd to different port
(higher) like 45622 for example which would probably avoid automatic
scans of the network... Be creative! ;-)
I upgraded from 5.1 to 5.2.1p3 over the weekend, and finished off with a Nessus
scan to check that ssh was the only port visible to the outside world. Despite
a recent (i.e. last Thursday) cvsup to sync the source tree, I'm getting a
high severity warning about a hole in SSH based on the version number reported
(3.6.1p1 FreeBSD-20030924). I'm using the core ssh, not the version from ports.
Does anyone know if this problem is real, or a false-positive?
It's false. I assume it's complaining about the problems described in
as that's the last OpenSSH advisory published. (Not to be confused
with the recent OpenSSL advisory). The security patches supplied fix
the vulnerabilities, but they generally don't do that by supplying a
whole new version of an application. Import of new versions of such
things as OpenSSH will only happen on one of the development branches
-- ie. HEAD (5-CURRENT) or RELENG_4 (4.9-STABLE), so RELENG_5_2 will
stick with OpenSSH-3.6.1p1 and you'll have to wait until RELENG_5_3 in
order to upgrade to OpenSSH-3.8p1 (or whatever the OpenSSH version is
by the time 5.3-RELEASE comes out).
As an aside, can sshd be prevented from reporting its version number on
connect, or is this something that a client-app needs to know?
The client app needs to know the version of the SSH protocol you're
running -- that it gets from the 'SSH-1.99' part at the beginning of
the banner ssh emits when you connect to port 22. The rest of what's
printed there is not so important. Apart from the 'version addendum'
part, you'ld have to hack the source code and recompile to chage
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"