ssh banner seems not to follow RFC

Question

ssh banner seems not to follow RFC

lapo-luchini opened this issue 3 months ago · 4 comments

The current ssh banner defined in ssh_api.c:423 is this:

sshbuf_putf(banner, "SSH-2.0-%.100s\r\n", SSH_RELEASE)

and the constant is defined in version.h:3-7 as:

#define SSH_VERSION	"OpenSSH_9.7"
#define SSH_PORTABLE	"p1"
#define SSH_HPN         "-hpn18.4.2"
#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

thus leading to a banner of: SSH-2.0-OpenSSH_9.7p1-hpn18.4.2.

Unfortunately it seems that RFC4253 4.2 defines the banner as:

SSH-protoversion-softwareversion SP comments CR LF

Both the 'protoversion' and 'softwareversion' strings MUST consist of
printable US-ASCII characters, with the exception of whitespace
characters and the minus sign (-).

thus I defined the regexp to match that in my blackbox_exporter template as ^SSH-2.0-([^ -]+)(?: (.*))?$ which turns out to fail on hpn-ssh for the forementioned reason.

Now, I can certainly relax my regexp to avoid excluding the -… but I thought you might want to know this (and maybe decide to prefix that with an underscore instead of an hyphen?).

Answer 1 · 2024-09-03T20:08:26.000Z

Well, it's annoying that I didn't pick up on that in the RFC. I'll be modifying the version string for the next release. An underscore should work but I'll need to verify that. Thanks for bringing this to our attention.

Answer 2 · 2024-09-04T10:44:51.000Z

e.g. OpenSSH uses SSH-2.0-OpenSSH_9.5 so an underscore should be fine.

Answer 3 · 2024-09-04T15:36:49.000Z

I agree, I just need to make sure it works with the compatibility tests I use in the HPN-SSH code itself. I haven't had a chance to look at that specific code portion as of yet.

Answer 4 · 2024-09-05T15:25:27.000Z

Resolved and will be pushed out in the new version.