Date: Tue, 20 Mar 2001 05:16:27 +0900 From: itojun@iijlab.net To: Kris Kennaway <kris@obsecurity.org> Cc: Shoichi Sakane <sakane@ydc.co.jp>, freebsd-security@FreeBSD.ORG, markus@OpenBSD.org Subject: Re: Reporting OpenSSH version (Re: What's vunerable?) Message-ID: <9942.985032987@coconut.itojun.org> In-Reply-To: kris's message of Mon, 19 Mar 2001 10:43:43 PST. <20010319104343.A3941@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I compiled and installed 2.2.0 'port revision' 2, and I connected >> to the ssh port number 22 on localhost. the sshd said, >>=20 >> shoichi:~] telnet localhost 22 >> Trying ::1... >> Connected to localhost. >> Escape character is '^]'. >> SSH-1.99-OpenSSH_2.2.0 >>=20 >> I just thought the version was vulnerable. So I think the version >> should be "SSH-1.99-OpenSSH_2.2.0-port_revision_2" > >You're probably right - something along these lines should be done to >distinguish the version reported by scanners like scanssh. I'd prefer >SSH-1.99-OpenSSH_2.2.0_2 myself to be consistent with the naming of >the port itself, but I'm not sure if this is allowable syntax. >Markus, can you comment? never play with openssh version number. the version number string is used as protocol backward compatibility handling. if you import 2.5.1, report that it is 2.5.1. the only way we are allowed to add extra thing is to add it after a space - like SSH-1.99-OpenSSH_2.5.1 foo bar baz see NetBSD src/crypto/dist/ssh/version.h. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9942.985032987>