Bug 1364595

Summary: sshd reports wrong version in banner
Product: [Fedora] Fedora Reporter: Michael Hampton <error>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: jjelen, mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-09 07:05:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Hampton 2016-08-05 21:03:44 UTC 
Description of problem:
When connecting to sshd on port 22, sshd reports itself as version 7.2, rather than 7.2p2.


Version-Release number of selected component (if applicable):
openssh-7.2p2-11.fc24.x86_64


How reproducible:
Always


Steps to Reproduce:
1. nc localhost 22


Actual results:
SSH-2.0-OpenSSH_7.2


Expected results:
SSH-2.0-OpenSSH_7.2p2


Additional info:
This is causing an issue where external security scanners misidentify sshd as an older version, causing false positives on scan reports.

Other distributions appear to report the version correctly. Debian stretch reports:
SSH-2.0-OpenSSH_7.2p2 Debian-5
Comment 1 Jakub Jelen 2016-08-08 07:12:11 UTC 
Thank you for the report.

The portable version was removed from the SSH_VERSION constant in 2004 [1], but the sshd identification string was not updated to contain the portable suffix since then.

This seems like a bug in portable openssh somehow worked around in Debian using their patches [2] (7.3p2).

Not sure if it is intentional or not. I will send a mail to portable upstream to check if this is intention or not.

Client identification string does not contain this information either (upstream) and Debian patches it into sshconnect, but not into the ssh_api.c [3]

[1] https://github.com/openssh/openssh-portable/commit/2aa6d3cf
[2] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=c81054
[3] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/ssh_api.c#n389
Comment 2 Jakub Jelen 2016-08-09 06:18:11 UTC 
This is Intention from Portable upstream and a bug in Debian, according to upstream [1]. I wrote probably too fast to read the commit messages properly.

Let me know, if you need some more clarification or I can close this bug.

[1] http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-August/035302.html