--- Begin Message ---
Package: openssh-server
Version: 1:4.3p2-9
Severity: wishlist
Tags: patch
Please consider including the patch at
http://www.kramse.dk/projects/unix/opensshhideversion_en.html
This will make openssh no longer announce itself as being openssh, nor
reveal it's version, nor reveal the fact this system is running Debian.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19-rvdb
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Versions of packages openssh-server depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf 1.5.11 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii libkrb53 1.4.4-7etch1 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 1.32-3 SELinux shared libraries
ii libssl0. 0.9.8c-4 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On Wed, Jun 27, 2007 at 02:12:18PM +0200, Richard van den Berg wrote:
> Package: openssh-server
> Version: 1:4.3p2-9
> Severity: wishlist
> Tags: patch
>
> Please consider including the patch at
> http://www.kramse.dk/projects/unix/opensshhideversion_en.html
> This will make openssh no longer announce itself as being openssh, nor
> reveal it's version, nor reveal the fact this system is running Debian.
Sorry, no, I won't do this. Firstly, announcing the fact that it's
OpenSSH and the upstream version is part of the protocol and not doing
so will break the ability to apply compatibility fixups; the fact that
the author of the HideVersion patch hasn't experienced this problem does
not concern me, because I know it's real and have encountered real bugs
in the past that were fixed by this technique. Secondly, the Debian
version number was added to the banner to increase security in the
large: it makes it easier for administrators of heterogeneous networks
(the specific example was the University of Cambridge Computing Service,
but I'm quite sure there are others employing "friendly probing"
techniques) to identify versions with security flaws. Thirdly, adding
configuration options to the Debian package of OpenSSH has historically
caused problems in that upstream have a habit of adding them later under
a different name or with different semantics, and then we have to
maintain compatibility code for evermore, so I'm trying not to do this
in future.
It is my belief, and I've never seen anything to contradict it, that the
bulk of people attempting to exploit vulnerabilities in openssh do not
bother checking the version number; they just throw whatever attacks
they have at any exposed ssh port they can find. As such, I think that
this is not so much security by obscurity as security by placebo (it is
extremely important to keep your sshd up to date against all known
vulnerabilities regardless of whether its version number is exposed;
hiding the version number will simply give you a false sense of
security), and I think the benefits of exposing the version number
outweigh the claimed negative points. Of course I have no objection to
people applying this patch locally if they want to do so, but I don't
want to have to maintain it as part of the Debian package.
Regards,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---