[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#673633: marked as done (openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian)

Your message dated Mon, 21 May 2012 10:46:45 +0100
with message-id <20120521094645.GH6350@riva.dynamic.greenend.org.uk>
and subject line Re: Bug#673633: openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian
has caused the Debian Bug report #673633,
regarding openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
673633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673633
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:5.9p1-5
Severity: minor

Dear Maintainer,
When using `ssh -v' when connecting to my Debian box, I can see my
SSH and Debian version, without even having a valid login in the
machine. This shouldn't happen.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-4-pve (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu1
ii  debconf [debconf-2.0]  1.5.43
ii  dpkg                   1.16.3
ii  libc6                  2.13-32
ii  libcomerr2             1.42.2-2
ii  libgssapi-krb5-2       1.10+dfsg~beta1-2
ii  libkrb5-3              1.10+dfsg~beta1-2
ii  libpam-modules         1.1.3-7.1
ii  libpam-runtime         1.1.3-7.1
ii  libpam0g               1.1.3-7.1
ii  libselinux1            2.1.9-2
ii  libssl1.0.0            1.0.1c-1
ii  libwrap0               7.6.q-23
ii  lsb-base               4.1+Debian3
ii  openssh-client         1:5.9p1-5
ii  procps                 1:3.3.2-3
ii  zlib1g                 1:1.2.7.dfsg-1

Versions of packages openssh-server recommends:
ii  openssh-blacklist        0.4.1
ii  openssh-blacklist-extra  <none>
ii  xauth                    1:1.0.7-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information excluded

--- End Message ---
--- Begin Message --- 
tag 673633 wontfix
tag 673635 wontfix
thanks

On Sun, May 20, 2012 at 12:51:04PM +0200, David Marti wrote:
> When using `ssh -v' when connecting to my Debian box, I can see my
> SSH and Debian version, without even having a valid login in the
> machine. This shouldn't happen.

Exposing the version of OpenSSH itself is part of the protocol.  Hiding
it would break clients' ability to select bug-compatibility hacks
depending on the server version.  OpenSSH really does do this; see
compat.c.

As for the inclusion of the Debian version, this is quite deliberate and
isn't going to change; hiding this information doesn't particularly slow
down black-hats anyway as far as I've ever been able to tell (it's
generally quicker to just try an attack and see if it works, rather than
assembling a list of vulnerable systems first), and it permits network
administrators to tell that Debian-based OpenSSH installations have been
patched (I have seen this in use in practice).

If you want to hide the Debian version anyway, set "DebianBanner no" in
/etc/ssh/sshd_config, as documented in sshd_config(5).

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---
Reply to: