Jason King wrote:
> On Wed, Jul 30, 2008 at 8:58 AM, Jan Pechanec <Jan.Pechanec at sun.com> wrote:
>> On Wed, 30 Jul 2008, Darren J Moffat wrote:
>>
>>>> I am using Solaris 10 5/08
>>> For Solaris 10 support questions please contact Sun Services. This
>>> alias is for OpenSolaris.
>>>
>>> I'm not sure if the DisableBanner support is in any Solaris 10 release.
>> Darren, you read too fast :-) The question was about banner but what
>> was actually requested was to hide the version string "SSH-2.0-Sun_SSH_1.1".
>>
>> to ldaves - it can't be done. The version string servers as a means
>> to switch on/off various compatibility flags. The version string is part of
>> the protocol and there is no way SSH could work without it.
>
> If I were to bet, certain 'Enterprise' Security Management products
> (*cough*) consider it a security 'risk' to present such info (and flag
> it as a 'high' risk in their scans). I believe the commercial SSH
> software allows you to set a custom string.
>
> I wonder if it might be useful to have a blurb somewhere explaining
> the importance. Sometimes makes it easier to argue the scanning
> software is wrong if you can point to something besides just 'trust
> me'.
RFC 4253 Section 4.2 the softwareversion part of the overall
identification string is NOT OPTIONAL only the comments (which we don't
have) is OPTIONAL.
It says:
"The 'softwareversion' string is
primarily used to trigger compatibility extensions and to indicate
the capabilities of an implementation."
http://www.ietf.org/rfc/rfc4253.txt
That document should be considered authoritative since it is the
protocol specification.
--
Darren J Moffat
