How to set a custom SSH connection response string?

3

Is it possible to modify the string that the OpenSSH server displays when a raw connection is established?

It is not about the text banner displayed after the connection is established and which can be configured by the Banner parameter in sshd_config, but about the raw output the SSH server sends on a connection attempt before the handshake.

For example, given a raw telnet connection

$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2

is there a way to reduce identifying information to the bare minimum?

My understanding is that SSH-2.0- must be present because it is required by the SSH protocol, but the string that follows - OpenSSH_7.2p2 - is probably not required by the protocol but I can't see a way to change or remove it without recompiling.

The intent is to avoid providing more info than strictly necessary for the protocol to work.

ccpizza

Posted 2017-01-29T20:09:50.017

Reputation: 5 372

1

No. Prevent SSH from advertising its version number.

– Hex – 2017-01-29T20:12:09.723

Answers

5

No. The version string is defined in version.h of OpenSSH source as

#define SSH_VERSION "OpenSSH_7.4".

You could change it, but it requires recompiling.

It is then send put together via:

snprintf(buf, sizeof buf, "SSH-2.0-%.100s\r\n", SSH_VERSION)

(ssh_api.c line 381, in function _ssh_send_banner)

See also: Prevent SSH from advertising its version number.

Hex

Posted 2017-01-29T20:09:50.017

Reputation: 982

2

Recent OpenSSH versions allow adding custom text via VersionAddendum, but do not allow removing the product name/version. You'll have to patch the source code for that.

user1686

Posted 2017-01-29T20:09:50.017

Reputation: 283 655

Asked: 2017-01-29T20:09:50.017

Viewed: 2 602 times

Active: 2017-01-29T20:25:33.223