Disable ssh banner, not sshd_config????

[rma88]

Hey everyone, yesterday I switched from Ubuntu after a good 2 years to Debian. I setup ssh and jailed my user etc... however when I netcat to myself, ssh very proudly displays the OS, protocol, and version. Now, i'm not too fond of that lol :

# nc 192.168.1.3 22
SSH-2.0-OpenSSH_5.1p1 Debian-5

This is separate from the banner if I actually ssh into my machine, i set that option:

Banner /etc/ssh/banner.txt

in the /etc/ssh/sshd_config file. So I was wondering if anyone could point me in the right direction to disabling the default text sent by the ssh service (default service, aptitude install ssh). I'm using Lenny, if the banner didn't give it away :P

[GNU-Fan]

Hi,

the first part of this message is part of the protocol. You can't withheld it or otherwise the client won't know how to talk to the server. You would need a customized ssh client if you wanted to get rid of it completely.


The remaining part was added by the Debian developers.
You can track it down as follows:

In an empty directory type as a normal user:

Code:

apt-get source openssh-server

This will fetch the source code of the package with the Debian patches applied.

In "version.h" you find the line

Code:

#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION

where "SSH_EXTRAVERSION" is the offender.

It is being set in "rules":

Code:

# Change the version string to include the Debian version
SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//')
...
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"

Now I am not sure what to recommend to you. You could change/delete the offending part at the source and recompile. Or you get the "original" upstream version of openssh, where this problem doesn't exist.

For any other program than this I would have given the recommendation to simply overwrite the text in the binary with a hexeditor. But as this is such a crucial security component, it's not so clever.

[rma88]

awesome response, thanks so much! I'll change it the first way you recommended first, but I might have to play around with a binary hex editor... that just sounds fun . Any particular one you would recommend?

I'm not really wanting this to be a public ssh service, as much as a ssh service solely for friends. So even if i was to replace the whole string with "blah", as long as they connected using ssh protocol 2 I 'think' they will be fine. Time to go find out!

Thanks again man, great response. Much appreciated.

[rma88]

Hey, so i'm doing it the first way, first (download the source for the openssh-server and changin it). I configure it with :

./configure --prefix=/usr --sysconfdir=/etc/ssh

so that it will be installed into the same directories as when i do 'aptitude isntall...'. And that works just fine, and I can run the ssh server from /usr/sbin/ and the banner is correctly changed. However, there isn't an entry in /etc/init.d/ for ssh, so I can't do /etc/init.d/ssh restart | start | stop etc...

When you compile / install manually like this is that normal? or am I supposed to create a link or something in /etc/init.d/ to ssh? I would like for it to start up automatically such as when I install it from aptitude. So any help on that from would be appreciated.

---------------------------
Option 2. I used a binary hex editor (ghex2) to try it that way as well. After saving the file with that one string (Debian-5) changed to any text, it doesn't work anymore. when I do /etc/init.d/ssh it no longer responds with the 'usage' message (i.e.: usage: .../ssh start|stop|restart...). So changing that must corrupt it.

Anyways, any help on either front would be appreciated! thanks guys, i'm real close doing it eigther way lol.

[GNU-Fan]

Hi,

when you fiddle with a hex-editor, you _absolutely must_ make sure you replace the string with the very same numbers of characters. Why is this? Well, if you don't, the whole rest of the binary will collapse or grow like Tetris bricks. And this means the variables used aren't on the same place, i.e. memory location, anymore. This gets the program out of step and this is the reason why I somewhat discouraged this way.

@Option1: If you have the original Debian SSHD installed, it should create all this init.d things for you. And all you do then is overwriting the binary. Maybe let the sshd binary built in a different directory somewhere under /home and then just "cp" it over the original. Make sure the file access rights are set correctly.

Remember that it will be overwritten by the next update of openssh-server from Debian. You will then have to repeat the steps. So write the exact steps you did down so you can repeat them easily. (I always tend to forget this and need to figure it out anew what I did half a year before.)


PS:

I'm not really wanting this to be a public ssh service, as much as a ssh service solely for friends. So even if i was to replace the whole string with "blah", as long as they connected using ssh protocol 2 I 'think' they will be fine.

No, I meant this is part of the protocol. This means, the client application will most likely look for this response. If it doesn't get it, it will maybe complain and say it cannot connect to the server, as it doesn't support SSH.

So if you modify the first part, you will have to modify the OpenSSH client or Putty or whatever you friends use and hand out adapted SSH clients especially for your machine

[rma88]

success! i got it, thanks so much for the help. i learned some good things.

I ended up compiling elsewhere and copying the binary like you said. And I did a 1 for 1 with the binary via the hex editor, but oh well i must have missed something. no worries, i'll save that for next time.

much appreciated GNU-Fan, thanks again.