Bug#786987: openssh-server: please have DebianBanner default to no
On Wed, May 27, 2015 at 07:33:12PM +0200, Christoph Anton Mitterer wrote:
> As I've said... I (personally) don't feel that concerned about this
> specific issue - we have other much more serious security problems in
> OpenSSH.
OK, but you took the trouble to reply to this bug to disagree in the
first place. :-)
> I guess DKG's idea simply was that we shouldn't wait for an example case
> where an attacker may abuse this (simply because it's too late then),
> but proactively change it now.
I would normally sympathise with that. In this case, though, the
original rationale for the change allowed real admins to avoid worrying
about a bunch of machines that had clearly already been upgraded, and
spend time on dealing with getting the people running out-of-date
machines to upgrade; when talking about thousands of heterogeneous
student-run machines that's a win for overall security even if it isn't
as dramatic as an exploit. So I'm in a position where I have real-world
information on one side and hypotheticals on the other, which makes the
hypotheticals less convincing. I hope that makes my position a bit
clearer.
--
Colin Watson [cjwatson@debian.org]
Reply to: