On Thu, Jun 04, 2015 at 10:35:37AM -0400, Micah Anderson wrote: > . it is used as a selector in NSA's XKEYSCORE queries in conjunction > with the metadata database of potentially exploitable services > (BLEAKINQUIRY) by the NSA group "S31176" for targeted exploit and > compromise[1][2]
This is a somewhat more compelling argument; I'll think about it. > . it is used by annoying "security" scanners, such as Nessus to > incorrectly identify vulnerable versions <-- I would normally argue > that version strings are a terrible way of finding an actual > vulnerability, in fact I *regularly* have to argue with people who run > these "security" scanners against our network and then bring us a > report to show me how many "vulnerable" services we have because the > version numbers in their outdated database don't take into account > Debian Security fixes... but this is precisely why I am bringing this > up, because I have to regularly argue with people about these version > strings. They are wrong, of course, but I don't want to have to deal > with that pointless argument. If there was no version string, I > wouldn't have to do that anymore. But that's exactly why DebianBanner was introduced: so that it's *possible* for such scanners to distinguish fixed versions, given knowledge of our security updates, and to give you a reasonable argument for the security folks in your organisation to leave you alone once you've applied updates. Upstream's non-configurable default is to include the OpenSSH version in the banner (e.g. "OpenSSH_6.8p1"). DebianBanner merely makes this more fine-grained. You're asking for something quite different here, which is https://bugzilla.mindrot.org/show_bug.cgi?id=764; but that's WONTFIX upstream for good reason, because it's still necessary to use the version for protocol compatibility tweaks. The most recent version of itself that OpenSSH needs to distinguish in this manner is as recent as 6.6p1, to deal with a key exchange bug in its implementation of ED25519, and something different comes along here every couple of years or so; this is not an archaic thing that can safely be discarded. As such, the best that we can do without causing real and significant interoperability problems is to advertise "SSH-2.0-OpenSSH_6.7p1" rather than "SSH-2.0-OpenSSH_6.7p1 Debian-5" in our banner. You'll still have to argue with people about these version strings; in fact, if you're having to do so right now, disabling DebianBanner will almost certainly cause you to have to do so more often. > . its used in CTF (capture the flag) events, in order to know what OS is > running on a system that only has ssh running, and what version of ssh > is running so that you can look at exploits that could be used to > compromise the system for a flag. Yeah, though dealing with this seems like a drop in the ocean compared to things like TCP stack fingerprinting that are much harder to address. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
