Bug#786987: openssh-server: please have DebianBanner default to no
On Wed, May 27, 2015 at 06:59:33PM +0200, Christoph Anton Mitterer wrote:
> On Wed, 2015-05-27 at 16:58 +0100, Colin Watson wrote:
> > Nagios is fine if you're running a server farm. It's useless if your
> > purpose is to perform friendly probing of a large heterogeneous network
> > most of which consists of desktop-type systems not run by professional
> > sysadmins.
> We have thousands of nodes at the university,.. within clusters, as
> workstations and dedicates experiment servers...
Surely you understand that it depends very strongly on the type of
management in place. If not, please stop replying to this bug.
> For none of them we use the Banner to determine whether it's up to
> date... is the banner not even secured? If not this would be completely
> useless to check whether an installation is "secure" as an attacker
> could simply try to forge the banner.
That's a completely different kind of attack.
> Anyway... I don't think this is that much of an security issue - but
> since there could be attacks where it's helpful to know the exact
> version in order to save time...
Like I say, I'm not aware of this being an issue in practice. If you
know real details, then instead of replying to this bug with hypotheses,
please point me at real examples.
--
Colin Watson [cjwatson@debian.org]
Reply to: