Package: openssh-server Version: 1:6.7p1-6 Severity: wishlist Please change the defaults for the DebianBanner configuration variable to "no" from "yes".
It's not clear to me that the advantages of announcing the debian
version of the package that is running outweigh the additional metadata
leakage.
An administrator capable of upgrading packages when needed (e.g. for
security updates) should have more reliable ways to learn the version of
openssh-server running on their system than a cleartext banner sent
across the network on port 22. And for systems that are not updated as
frequently as they should be, announcing "i have not yet been patched"
seems like an invitation for scripted attack the next time an
exploitable vulnerability is announced.
Thanks for maintaining OpenSSH in debian!
Regards,
--dkg
signature.asc
Description: PGP signature
