[ubuntu-hardened] hiding ssh version

[Kees Cook]

Hi Dan,

On Sat, Mar 28, 2009 at 12:00:40AM -0600, Dan Howerton wrote:
> x at x:~$ telnet 1.1.1.1 22

I recommend "nc" since it doesn't send or process Telnet escape sequences[1].

> I dont quite fancy this so I did some poking around google and found a patch
> to hide this at
> 
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html
> 
> Is it possible to get this patch into either the standard openssh package or
> one we can grab through the security repo?

There has been a long-standing bug[2] with upstream, where I supplied
a few versions of possible patches, but they continue to really dislike
the idea.

My reasoning has been that I can already change the banner on other
services (SMTP, e.g.), so why not have the same available for SSH?  I have
been nervous about carrying such a patch in Ubuntu without upstream
approval, though.

I understand their reasoning about not wanting to mess with the protocol
versions, and I get that clients may need to tweak behavior based on the
software version, and I've seen situations where even using the version
comment could be useful to clients, but I think that's all moot since
only a small number of people would even use these options.

If someone wants to try to convince upstream otherwise, I would be very
happy.  :)

-Kees

[1] http://en.wikipedia.org/wiki/Telnet
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=764

-- 
Kees Cook
Ubuntu Security Team