Bug#786987: openssh-server: please have DebianBanner default to no

[Colin Watson <cjwatson@debian.org>]

On Wed, May 27, 2015 at 09:42:38AM -0400, Daniel Kahn Gillmor wrote:
> Please change the defaults for the DebianBanner configuration variable
> to "no" from "yes".
> 
> It's not clear to me that the advantages of announcing the debian
> version of the package that is running outweigh the additional metadata
> leakage.

I've always disagreed with this, which is why the banner default is the
way it is.  In particular, I've generally seen very little in the way of
evidence that people actually bother to select the servers they're going
to attack based on the banner, rather than just scattergunning the
attack across every server they can find.

> An administrator capable of upgrading packages when needed (e.g. for
> security updates) should have more reliable ways to learn the version of
> openssh-server running on their system than a cleartext banner sent
> across the network on port 22.

The specific case that prompted the banner in the first place was that
of a university trying to ensure that systems on its network was secure,
where the central administration doesn't have direct access to upgrade
packages nor any other such reliable way to determine package versions,
but does have the ability to disconnect vulnerable systems if need be.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]