reassign 492557 ssh severity 492557 wishlist merge 130876 492557 thanks On Sun, Jul 27, 2008 at 11:00:37AM +0200, Emjay wrote: > During connection openssh-server sends its version string to the client. > While that is perfectly ok for the version string itself, the > information added to the version string gives away free additional > information to a potential attacker about the system sshd is running on.
This has been filed many times before (please see the bug reports which I have just merged with this one), but the addition of this information is deliberate. I'm afraid I believe that the benefits to network administrators performing central friendly scanning to secure their networks against vulnerabilities outweigh the minimal costs, and I do not intend to change this. In general, people won't look at your version string before deciding whether to try an attack; they'll just try the attack and move on if it doesn't work. Regards, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
