Description of problem: When connecting to sshd on port 22, sshd reports itself as version 7.2, rather than 7.2p2. Version-Release number of selected component (if applicable): openssh-7.2p2-11.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. nc localhost 22 Actual results: SSH-2.0-OpenSSH_7.2 Expected results: SSH-2.0-OpenSSH_7.2p2 Additional info: This is causing an issue where external security scanners misidentify sshd as an older version, causing false positives on scan reports. Other distributions appear to report the version correctly. Debian stretch reports: SSH-2.0-OpenSSH_7.2p2 Debian-5
Thank you for the report. The portable version was removed from the SSH_VERSION constant in 2004 [1], but the sshd identification string was not updated to contain the portable suffix since then. This seems like a bug in portable openssh somehow worked around in Debian using their patches [2] (7.3p2). Not sure if it is intentional or not. I will send a mail to portable upstream to check if this is intention or not. Client identification string does not contain this information either (upstream) and Debian patches it into sshconnect, but not into the ssh_api.c [3] [1] https://github.com/openssh/openssh-portable/commit/2aa6d3cf [2] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=c81054 [3] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/ssh_api.c#n389
This is Intention from Portable upstream and a bug in Debian, according to upstream [1]. I wrote probably too fast to read the commit messages properly. Let me know, if you need some more clarification or I can close this bug. [1] http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-August/035302.html