Bug#786987: openssh-server: please have DebianBanner default to no

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 786987@bugs.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Bug#786987: openssh-server: please have DebianBanner default to no
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 27 May 2015 18:29:07 +0100
Message-id: <[🔎] 20150527172907.GR10485@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 786987@bugs.debian.org
In-reply-to: <[🔎] 1432745973.4856.38.camel@scientia.net>
References: <[🔎] 874mmyjfw1.fsf@alice.fifthhorseman.net> <[🔎] 20150527143852.GP10485@riva.ucam.org> <[🔎] 1432741442.4856.17.camel@scientia.net> <[🔎] 20150527155854.GQ10485@riva.ucam.org> <[🔎] 1432745973.4856.38.camel@scientia.net>

On Wed, May 27, 2015 at 06:59:33PM +0200, Christoph Anton Mitterer wrote:
> On Wed, 2015-05-27 at 16:58 +0100, Colin Watson wrote: 
> > Nagios is fine if you're running a server farm.  It's useless if your
> > purpose is to perform friendly probing of a large heterogeneous network
> > most of which consists of desktop-type systems not run by professional
> > sysadmins.
> We have thousands of nodes at the university,.. within clusters, as
> workstations and dedicates experiment servers...

Surely you understand that it depends very strongly on the type of
management in place.  If not, please stop replying to this bug.

> For none of them we use the Banner to determine whether it's up to
> date... is the banner not even secured? If not this would be completely
> useless to check whether an installation is "secure" as an attacker
> could simply try to forge the banner.

That's a completely different kind of attack.

> Anyway... I don't think this is that much of an security issue - but
> since there could be attacks where it's helpful to know the exact
> version in order to save time...

Like I say, I'm not aware of this being an issue in practice.  If you
know real details, then instead of replying to this bug with hypotheses,
please point me at real examples.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Processed: retitle 765632 to openssh-client: Debian shouldn't deviate in hardcoded default values, especially not ForwardX11Trusted
Next by Date: Bug#786987: openssh-server: please have DebianBanner default to no
Previous by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Next by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Index(es):
- Date
- Thread