Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473130 - net-misc/openssh: Add an option to remove/fake valuable information in TCP banner
Summary: net-misc/openssh: Add an option to remove/fake valuable information in TCP ba...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-12 19:43 UTC by locozenoz
Modified: 2015-03-22 05:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description locozenoz 2013-06-12 19:43:56 UTC
In my opinion OpenSSH gives away way too much unnessesary for connection information.
My request ask for a option to either disable all the text exept SSH-2.0 in TCP banner, either fake this information giving more security options to users.
This information holds no nessesary information for the client, and makes crackers work easyer, while holding way too little use for sysadministration.
Option to fake it seems like a good option, becouse you may mislead the cracker thinking that you are using for example Debian Etch, or OpenBSD. Or add some completely misleading information like random text, fake kernel version or a name of non-existant GNU/Linux distibution.

Reproducible: Always

Steps to Reproduce:
1. Start the OpenSSH at the server
2. Do "nc server port" replacing server with the address of the server you started OpenSSH at and port with port you started it on.
3. See the problem
Actual Results:  
I have saw the server banner that revealved way too much unnnesessary information

Expected Results:  
Exactly the thing that happened.
Comment 1 SpanKY gentoo-dev 2015-03-22 05:34:00 UTC
the banner is used somewhat to probe for compatibility

if you want to muck with it, you can request upstream add an option:
  https://bugzilla.mindrot.org/

or you can create a local patch and have it applied via epatch_user