Bug#492557: openssh-server discloses unnecessary information about the system in version string

[Colin Watson <cjwatson@debian.org>]

reassign 492557 ssh
severity 492557 wishlist
merge 130876 492557
thanks

On Sun, Jul 27, 2008 at 11:00:37AM +0200, Emjay wrote:
> During connection openssh-server sends its version string to the client.
> While that is perfectly ok for the version string itself, the
> information added to the version string gives away free additional
> information to a potential attacker about the system sshd is running on.

This has been filed many times before (please see the bug reports which
I have just merged with this one), but the addition of this information
is deliberate. I'm afraid I believe that the benefits to network
administrators performing central friendly scanning to secure their
networks against vulnerabilities outweigh the minimal costs, and I do
not intend to change this. In general, people won't look at your version
string before deciding whether to try an attack; they'll just try the
attack and move on if it doesn't work.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]