Your message dated Mon, 21 May 2012 10:46:45 +0100 with message-id <20120521094645.GH6350@riva.dynamic.greenend.org.uk> and subject line Re: Bug#673633: openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian has caused the Debian Bug report #673635, regarding openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 673635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673635 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian
- From: David Martí <neikokz@gmail.com>
- Date: Sun, 20 May 2012 12:59:45 +0200
- Message-id: <[🔎] CAK1DC+35hym+RKsFbNQFnBM8nsDMkaiYUgpVYH6FMhFaZ_vpNQ@mail.gmail.com>
Package: openssh-server Version: 1:5.9p1-5 Severity: minor When using `ssh -v' when connecting to my Debian box, I can see my SSH and Debian version, without even having a valid login in the machine. This shouldn't happen.
--- End Message ---
--- Begin Message ---
- To: 673633-close@bugs.debian.org, 673635-close@bugs.debian.org
- Subject: Re: Bug#673633: openssh-server: Don't expose the OpenSSH version and the fact I'm using Debian
- From: Colin Watson <cjwatson@debian.org>
- Date: Mon, 21 May 2012 10:46:45 +0100
- Message-id: <20120521094645.GH6350@riva.dynamic.greenend.org.uk>
- In-reply-to: <[🔎] 20120520105104.5387.57165.reportbug@vortigaunt.net>
- References: <[🔎] 20120520105104.5387.57165.reportbug@vortigaunt.net>
tag 673633 wontfix tag 673635 wontfix thanks On Sun, May 20, 2012 at 12:51:04PM +0200, David Marti wrote: > When using `ssh -v' when connecting to my Debian box, I can see my > SSH and Debian version, without even having a valid login in the > machine. This shouldn't happen. Exposing the version of OpenSSH itself is part of the protocol. Hiding it would break clients' ability to select bug-compatibility hacks depending on the server version. OpenSSH really does do this; see compat.c. As for the inclusion of the Debian version, this is quite deliberate and isn't going to change; hiding this information doesn't particularly slow down black-hats anyway as far as I've ever been able to tell (it's generally quicker to just try an attack and see if it works, rather than assembling a list of vulnerable systems first), and it permits network administrators to tell that Debian-based OpenSSH installations have been patched (I have seen this in use in practice). If you want to hide the Debian version anyway, set "DebianBanner no" in /etc/ssh/sshd_config, as documented in sshd_config(5). -- Colin Watson [cjwatson@debian.org]
--- End Message ---