From owner-freebsd-questions@freebsd.org  Mon Feb 17 17:38:27 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3EDE82407E7
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 17 Feb 2020 17:38:27 +0000 (UTC)
 (envelope-from per@hedeland.org)
Received: from mailout.easydns.com (mailout.easydns.com [64.68.202.10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48Lrmx5NFTz3DyN
 for <freebsd-questions@freebsd.org>; Mon, 17 Feb 2020 17:38:25 +0000 (UTC)
 (envelope-from per@hedeland.org)
Received: from localhost (localhost [127.0.0.1])
 by mailout.easydns.com (Postfix) with ESMTP id 6BC68A0169;
 Mon, 17 Feb 2020 17:38:24 +0000 (UTC)
Received: from mailout.easydns.com ([127.0.0.1])
 by localhost (emo13-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Hcavvj04bJyQ; Mon, 17 Feb 2020 17:38:24 +0000 (UTC)
Received: from hedeland.org (81-228-157-209-no289.tbcn.telia.com
 [81.228.157.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mailout.easydns.com (Postfix) with ESMTPSA id B185A9FDE5;
 Mon, 17 Feb 2020 17:38:19 +0000 (UTC)
Received: from pluto.hedeland.org (pluto.hedeland.org [10.1.1.5])
 by tellus.hedeland.org (8.15.2/8.15.2) with ESMTPS id 01HHcHaB023175
 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
 Mon, 17 Feb 2020 18:38:17 +0100 (CET)
 (envelope-from per@hedeland.org)
Subject: Re: tightening sshd, removing server identification banner
To: Valeri Galtsev <galtsev@kicp.uchicago.edu>,
 =?UTF-8?Q?=c3=96zg=c3=bcr_Kazancci?= <ozgur@kazancci.com>
Cc: David Mehler <dave.mehler@gmail.com>,
 freebsd-questions <freebsd-questions@freebsd.org>
References: <CAPORhP4JmTB-Cf04Mgtae9EnHCRPe=5LHs_xtbZE+APoP6pVbg@mail.gmail.com>
 <036b6d54c51d5d7ae9934415b60369f8@kazancci.com>
 <0E539BE9-C479-4374-8568-5FDA5A910F3C@kicp.uchicago.edu>
From: Per Hedeland <per@hedeland.org>
Message-ID: <3ef7eb70-8b38-332a-1276-9170e2480f0e@hedeland.org>
Date: Mon, 17 Feb 2020 18:38:17 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.1
MIME-Version: 1.0
In-Reply-To: <0E539BE9-C479-4374-8568-5FDA5A910F3C@kicp.uchicago.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 48Lrmx5NFTz3DyN
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of per@hedeland.org has no SPF policy when
 checking 64.68.202.10) smtp.mailfrom=per@hedeland.org
X-Spamd-Result: default: False [2.06 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5];
 RECEIVED_SPAMHAUS_PBL(0.00)[209.157.228.81.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4];
 RCVD_TLS_LAST(0.00)[]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[hedeland.org];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.55)[0.553,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 IP_SCORE(0.47)[ip: (0.60), ipnet: 64.68.200.0/22(0.12), asn: 16686(1.74),
 country: CA(-0.09)]; NEURAL_SPAM_LONG(0.23)[0.234,0];
 R_SPF_NA(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[10.202.68.64.list.dnswl.org : 127.0.5.1];
 MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:16686, ipnet:64.68.200.0/22, country:CA];
 FREEMAIL_CC(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 17:38:27 -0000

On 2020-02-17 18:02, Valeri Galtsev wrote:
 >
 >
 >> On Feb 17, 2020, at 10:58 AM, Özgür Kazancci <ozgur@kazancci.com> wrote:
 >>
 >> Hello David,
 >>
 >> If you're sure you uncommented these lines,
 >> #VersionAddendum none
 >> #Banner none
 >>
 >
 > As far as I know, uncommenting lines in sshd_config is unnecessary. These are put there as commented lines to indicate defaults which sshd was build with, so they are already in effect. That is why 
good practice is when changing something to keep commented line as it is, and add next to it yours not commented different setting.

Agreed, but changing the commented value without uncommenting does
(obviously) not have any effect. The default sshd_config in
12.1-RELEASE has

#VersionAddendum FreeBSD-20180909

#Banner none

I.e. an uncommented

VersionAddendum none

is needed to remove the above text.

 > Valeri
 >
 >> and restarted the sshd, then there is no much else left -imho-. A complete removal of SSHD banner (if that's what you're trying to do) requires a manual edit of OpenSSH(d) files&complete 
complication of it from scratch.

I think the "SSH-2.0" part should be considered mandatory, it's part
of the protocol.

--Per

 >> Best,
 >> Özgür.
 >>
 >>
 >>
 >>
 >> On 17/02/2020 19:53, David Mehler wrote:
 >>> Hello,
 >>> I'm running FreeBSD 12.0. I'm atempting to tighten up my sshd
 >>> configuration. I've got things where I want them, except for the
 >>> connecting banner. I'm using sshaudit.com to test things and this is
 >>> what it's saying for the banner setting:
 >>> Banner:SSH-2.0-OpenSSH_7.8 FreeBSD-20180909
 >>> I would rather this be set to nothing or at most very minimal. Google
 >>> and the sshd_config man page reveals the Banner and VersionAdendum
 >>> options. I've set both to none.
 >>> PrintMotd no
 >>> #PrintLastLog yes
 >>> #VersionAddendum none
 >>> #Banner none
 >>> Can anyone tell me how to get the results I am looking for?
 >>> Thanks.
 >>> Dave.
 >>> _______________________________________________
 >>> freebsd-questions@freebsd.org mailing list
 >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
 >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
 >> _______________________________________________
 >> freebsd-questions@freebsd.org mailing list
 >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
 >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
 >
 > ++++++++++++++++++++++++++++++++++++++++
 > Valeri Galtsev
 > Sr System Administrator
 > Department of Astronomy and Astrophysics
 > Kavli Institute for Cosmological Physics
 > University of Chicago
 > Phone: 773-702-4247
 > ++++++++++++++++++++++++++++++++++++++++
 >
 > _______________________________________________
 > freebsd-questions@freebsd.org mailing list
 > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
 > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
 >