Disable OpenSSH identifier?

mwspitzer · n00b Joined: 21 Nov 2006 Posts: 38

I'm working on locking down a system and I've been requested to make it as tightened as possible. Right now the only access in is using ssh over a non-standard port. I noticed, though, that if I telnet to that port, it identifies itself as "SSH-2.0-OpenSSH_4.5". Is it possible to disable that identifier or is that required for the client machine to make the connection?

Thanks
Mike

infinite1der · n00b Joined: 31 Jan 2006 Posts: 52 Location: Atlanta, GA

Looking at sshd.c under sshd_exchange_identification{}, there are "send our version", "get their version", and "check for mismatch" bits. So, I don't think you could easily remove that.
_________________
----------------------
James A. Thornton
Atlanta, GA

How To Ask Questions the Smart Way

matze_na · n00b Joined: 04 Apr 2007 Posts: 54 Location: Germany

As a workaround, you could have a look at port knocking (see here), so sshd doesn't respond at all unless a specified sequence is sent before.

konqueror · Tux's lil' helper Joined: 16 Mar 2003 Posts: 76

i dont think u can really get rid of the version sending - there's an faq answer somewhere saying that that is needed to coordinate the protocol properly between the 2 systems... Unless u of course, hack into the source for *both* client, and server, and hard-code the version that they will use...

think4urs11 · Posted: Sat Apr 07, 2007 9:21 am Post subject:

besides the fact that security by obscurity doesn't really work (but attract bad guys maybe even more) it is a bad idea in this case, see http://www.openssh.org/faq.html#2.14
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

konqueror · Tux's lil' helper Joined: 16 Mar 2003 Posts: 76

kamikaze04 · Posted: Sat Apr 07, 2007 2:10 pm Post subject:

It is easy to change it, go to the source, untar it, and edit version.h (i think it was the name of the file, i'm sure it was a .h file for sure). Change it, tar it again, adn create the correct digest again with

ebuild /path/to/portdir_overlay/file.ebuild digest

after that emerge the openssh as usual.

I've got it working in some of the servers i work with.
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es

konqueror · Tux's lil' helper Joined: 16 Mar 2003 Posts: 76

kamikaze04 · Posted: Sat Apr 07, 2007 9:37 pm Post subject:

That's exactly what i'm saying. I show a complete different version from the one it is installed
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es

mwspitzer · n00b Joined: 21 Nov 2006 Posts: 38

Thanks for all of the responses guys; I'll just leave it as it is. I'm confident it's as secure as I can resonably make it, but this was one other thing I'd never tried before.

Mike