Bug#786987: openssh-server: please have DebianBanner default to no

To: submit@bugs.debian.org
Subject: Bug#786987: openssh-server: please have DebianBanner default to no
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 27 May 2015 09:42:38 -0400
Message-id: <[🔎] 874mmyjfw1.fsf@alice.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 786987@bugs.debian.org

Package: openssh-server
Version: 1:6.7p1-6
Severity: wishlist

Please change the defaults for the DebianBanner configuration variable
to "no" from "yes".

It's not clear to me that the advantages of announcing the debian
version of the package that is running outweigh the additional metadata
leakage.

An administrator capable of upgrading packages when needed (e.g. for
security updates) should have more reliable ways to learn the version of
openssh-server running on their system than a cleartext banner sent
across the network on port 22.  And for systems that are not updated as
frequently as they should be, announcing "i have not yet been patched"
seems like an invitation for scripted attack the next time an
exploitable vulnerability is announced.

Thanks for maintaining OpenSSH in debian!

Regards,

            --dkg

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
Next by Date: Bug#786987: openssh-server: please have DebianBanner default to no
Previous by thread: Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
Next by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Index(es):
- Date
- Thread