Subject: cdimage.debian.org: Debian Live DVD 8.0.0 ssh server enabled by default
Package: cdimage.debian.org
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I was testing my system's security when I discovered this.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I invoked this command: sudo service ssh stop
* What was the outcome of this action?
Success but not enough. The command stopped the ssh service successfully but inexperienced users are probably not aware of this.
* What outcome did you expect instead?
The ssh service should be disabled by default because an attacker could exploit this.
The Live DVD comes with a default username and password making the threat very real.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 8.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-586
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)