Bug#786987: openssh-server: please have DebianBanner default to no

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 786987@bugs.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Bug#786987: openssh-server: please have DebianBanner default to no
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 27 May 2015 18:43:47 +0100
Message-id: <[🔎] 20150527174346.GS10485@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 786987@bugs.debian.org
In-reply-to: <[🔎] 1432747992.4856.41.camel@scientia.net>
References: <[🔎] 874mmyjfw1.fsf@alice.fifthhorseman.net> <[🔎] 20150527143852.GP10485@riva.ucam.org> <[🔎] 1432741442.4856.17.camel@scientia.net> <[🔎] 20150527155854.GQ10485@riva.ucam.org> <[🔎] 1432745973.4856.38.camel@scientia.net> <[🔎] 20150527172907.GR10485@riva.ucam.org> <[🔎] 1432747992.4856.41.camel@scientia.net>

On Wed, May 27, 2015 at 07:33:12PM +0200, Christoph Anton Mitterer wrote:
> As I've said... I (personally) don't feel that concerned about this
> specific issue - we have other much more serious security problems in
> OpenSSH.

OK, but you took the trouble to reply to this bug to disagree in the
first place. :-)

> I guess DKG's idea simply was that we shouldn't wait for an example case
> where an attacker may abuse this (simply because it's too late then),
> but proactively change it now.

I would normally sympathise with that.  In this case, though, the
original rationale for the change allowed real admins to avoid worrying
about a bunch of machines that had clearly already been upgraded, and
spend time on dealing with getting the people running out-of-date
machines to upgrade; when talking about thousands of heterogeneous
student-run machines that's a win for overall security even if it isn't
as dramatic as an exploit.  So I'm in a position where I have real-world
information on one side and hypotheticals on the other, which makes the
hypotheticals less convincing.  I hope that makes my position a bit
clearer.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Colin Watson <cjwatson@debian.org>
- Bug#786987: openssh-server: please have DebianBanner default to no
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#786987: openssh-server: please have DebianBanner default to no
Next by Date: Bug#787037: openssh-client: remove 1Kbit DH groups from /etc/ssh/moduli
Previous by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Next by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Index(es):
- Date
- Thread