Bug#925238: marked as done (openssh-server: OpenSSH server displays the distro name in its strings through netcat)
Your message dated Thu, 21 Mar 2019 16:21:26 +0000
with message-id <20190321162126.ffhzrojhwu6afavk@riva.ucam.org>
and subject line Re: Bug#925238: openssh-server: OpenSSH server displays the distro name in its strings through netcat
has caused the Debian Bug report #925238,
regarding openssh-server: OpenSSH server displays the distro name in its strings through netcat
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
925238: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925238
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:7.9p1-9
Severity: normal
Hi,
I've remarked a security issue with openssh-server. The problem manifests if
you run netcat.
Example :
netcat localhost 22
In that case the string displayed is :
SSH-2.0-OpenSSH_7.9p1 Debian-9
At least the Debian string should not be displayed, because otherwise it leaks
information about the installed system, with possible consequences a more
severe attack somewhere else.
Could you please remove the string refering to Debian ?
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.5
ii libaudit1 1:2.8.4-2
ii libc6 2.28-8
ii libcom-err2 1.44.5-1
ii libgssapi-krb5-2 1.17-2
ii libkrb5-3 1.17-2
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1b-1
ii libsystemd0 241-1
ii libwrap0 7.6.q-28
ii lsb-base 10.2019031300
ii openssh-client 1:7.9p1-9
ii openssh-sftp-server 1:7.9p1-9
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd 241-1
ii ncurses-term 6.1+20181013-2
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
ii ksshaskpass [ssh-askpass] 4:5.14.5-1
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ufw <none>
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Control: tag -1 wontfix
On Thu, Mar 21, 2019 at 04:52:16PM +0100, Julien Aubin wrote:
> I've remarked a security issue with openssh-server. The problem manifests if
> you run netcat.
>
> Example :
> netcat localhost 22
>
> In that case the string displayed is :
> SSH-2.0-OpenSSH_7.9p1 Debian-9
>
> At least the Debian string should not be displayed, because otherwise it leaks
> information about the installed system, with possible consequences a more
> severe attack somewhere else.
In practice attackers tend to simply try attacks anyway; trying to hide
the version string is not particularly useful. The earlier part of the
banner is required for protocol compatibility negotiation between
clients and servers, and given that I've always felt it's better to
include the Debian revision as well.
> Could you please remove the string refering to Debian ?
If you want to do this then you can put "DebianBanner no" in
/etc/ssh/sshd_config. I do not intend to change the default.
Regards,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---
Reply to: