git: b0025f9b7ff0 - main - openssh: update default version addendum in man pages

Ed Maste emaste at freebsd.org
Thu Sep 16 21:28:12 UTC 2021


On Sun, 5 Sept 2021 at 12:26, Ronald Klop <ronald-lists at klop.ws> wrote:
>
> I'm wondering why the FreeBSD project adds this information to the banner by default. I learned that not exposing information about the running system is good security practice.
> Any thoughts about this? What is the gain of this banner?

Like many things it's a tradeoff. Adding the version to sshd's banner
provides an easy way for an administrator to confirm that an update
has been applied (assuming that the version is updated). Conversely,
it's even easier (for an attacker) to connect and just attempt some
misbehaviour than it would be to check this version string first.

We introduced the VersionAddendum here:

commit 933ca70f8f888b7fc1b06213198ba15ca346aeca
Author: Brian Feldman <green at FreeBSD.org>
Date:   Thu May 3 00:29:28 2001 +0000

    Add a "VersionAddendum" configuration setting for sshd which allows
    anyone to easily change the part of the OpenSSH version after the main
    version number.  The FreeBSD-specific version banner could be disabled
    that way, for example:

    # Call ourselves plain OpenSSH
    VersionAddendum

Notes:
    svn path=/head/; revision=76227

Upstream adopted it here:

commit 23528816dc10165b3bc009f2ab5fdf1653db418c
Author: Damien Miller <djm at mindrot.org>
Date:   Sun Apr 22 11:24:43 2012 +1000

       - djm at cvs.openbsd.org 2012/04/12 02:42:32
         [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
         VersionAddendum option to allow server operators to append
some arbitrary
         text to the SSH-... banner; ok deraadt@ "don't care" markus@

Now, we support it for both the client and server while upstream
supports it for the server only. I suspect there isn't a lot of value
in the client-side support, and am considering removing it to reduce
the differences between our in-tree ssh and upstream, and ease future
OpenSSH updates.


More information about the dev-commits-src-all mailing list