summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-01-16 00:07:00 +0000
committerColin Watson <cjwatson@debian.org>2010-01-16 00:07:00 +0000
commit730e12063b532f59292af38f584d84127a77ebdd (patch)
tree0fe553bd04207ffde728f350a1f21dfb5966bf14
parent5df50c6ed93365589bbcfb6a1925828b1273c7a9 (diff)
Implement DebianBanner server configuration flag that can be set to "no"
to allow sshd to run without the Debian-specific extra version in the initial protocol handshake (closes: #562048).
-rw-r--r--debian/changelog6
-rw-r--r--servconf.c9
-rw-r--r--servconf.h2
-rw-r--r--sshd.c3
-rw-r--r--sshd_config.55
-rw-r--r--version.h5
6 files changed, 27 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 4207281e8..2793110f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
1openssh (1:5.2p1-2) UNRELEASED; urgency=low 1openssh (1:5.2p1-2) UNRELEASED; urgency=low
2 2
3 [ Colin Watson ]
3 * Backport from upstream: 4 * Backport from upstream:
4 - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd 5 - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
5 re-execs itself. Prevents two HUPs in quick succession from resulting 6 re-execs itself. Prevents two HUPs in quick succession from resulting
@@ -11,6 +12,11 @@ openssh (1:5.2p1-2) UNRELEASED; urgency=low
11 release of Debian dropped support for Linux 2.4, let alone 2.0, so this 12 release of Debian dropped support for Linux 2.4, let alone 2.0, so this
12 very likely has no remaining users depending on it. 13 very likely has no remaining users depending on it.
13 14
15 [ Kees Cook ]
16 * Implement DebianBanner server configuration flag that can be set to "no"
17 to allow sshd to run without the Debian-specific extra version in the
18 initial protocol handshake (closes: #562048).
19
14 -- Colin Watson <cjwatson@debian.org> Sun, 10 Jan 2010 22:06:28 +0000 20 -- Colin Watson <cjwatson@debian.org> Sun, 10 Jan 2010 22:06:28 +0000
15 21
16openssh (1:5.2p1-1) unstable; urgency=low 22openssh (1:5.2p1-1) unstable; urgency=low
diff --git a/servconf.c b/servconf.c
index c1f2bc2af..dd5161ecd 100644
--- a/servconf.c
+++ b/servconf.c
@@ -132,6 +132,7 @@ initialize_server_options(ServerOptions *options)
132 options->adm_forced_command = NULL; 132 options->adm_forced_command = NULL;
133 options->chroot_directory = NULL; 133 options->chroot_directory = NULL;
134 options->zero_knowledge_password_authentication = -1; 134 options->zero_knowledge_password_authentication = -1;
135 options->debian_banner = -1;
135} 136}
136 137
137void 138void
@@ -273,6 +274,8 @@ fill_default_server_options(ServerOptions *options)
273 options->permit_tun = SSH_TUNMODE_NO; 274 options->permit_tun = SSH_TUNMODE_NO;
274 if (options->zero_knowledge_password_authentication == -1) 275 if (options->zero_knowledge_password_authentication == -1)
275 options->zero_knowledge_password_authentication = 0; 276 options->zero_knowledge_password_authentication = 0;
277 if (options->debian_banner == -1)
278 options->debian_banner = 1;
276 279
277 /* Turn privilege separation on by default */ 280 /* Turn privilege separation on by default */
278 if (use_privsep == -1) 281 if (use_privsep == -1)
@@ -320,6 +323,7 @@ typedef enum {
320 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 323 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
321 sUsePrivilegeSeparation, sAllowAgentForwarding, 324 sUsePrivilegeSeparation, sAllowAgentForwarding,
322 sZeroKnowledgePasswordAuthentication, 325 sZeroKnowledgePasswordAuthentication,
326 sDebianBanner,
323 sDeprecated, sUnsupported 327 sDeprecated, sUnsupported
324} ServerOpCodes; 328} ServerOpCodes;
325 329
@@ -449,6 +453,7 @@ static struct {
449 { "permitopen", sPermitOpen, SSHCFG_ALL }, 453 { "permitopen", sPermitOpen, SSHCFG_ALL },
450 { "forcecommand", sForceCommand, SSHCFG_ALL }, 454 { "forcecommand", sForceCommand, SSHCFG_ALL },
451 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 455 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
456 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
452 { NULL, sBadOption, 0 } 457 { NULL, sBadOption, 0 }
453}; 458};
454 459
@@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions *options, char *line,
1335 *charptr = xstrdup(arg); 1340 *charptr = xstrdup(arg);
1336 break; 1341 break;
1337 1342
1343 case sDebianBanner:
1344 intptr = &options->debian_banner;
1345 goto parse_int;
1346
1338 case sDeprecated: 1347 case sDeprecated:
1339 logit("%s line %d: Deprecated option %s", 1348 logit("%s line %d: Deprecated option %s",
1340 filename, linenum, arg); 1349 filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index 3852b1bae..0cd78bc22 100644
--- a/servconf.h
+++ b/servconf.h
@@ -154,6 +154,8 @@ typedef struct {
154 154
155 int num_permitted_opens; 155 int num_permitted_opens;
156 156
157 int debian_banner;
158
157 char *chroot_directory; 159 char *chroot_directory;
158} ServerOptions; 160} ServerOptions;
159 161
diff --git a/sshd.c b/sshd.c
index b83ecd9e5..bd671160d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -425,7 +425,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
425 minor = PROTOCOL_MINOR_1; 425 minor = PROTOCOL_MINOR_1;
426 } 426 }
427 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, 427 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
428 SSH_RELEASE, newline); 428 options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
429 newline);
429 server_version_string = xstrdup(buf); 430 server_version_string = xstrdup(buf);
430 431
431 /* Send our protocol version identification. */ 432 /* Send our protocol version identification. */
diff --git a/sshd_config.5 b/sshd_config.5
index d30ad2ed1..0d2e0c3da 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -314,6 +314,11 @@ or
314.Dq no . 314.Dq no .
315The default is 315The default is
316.Dq delayed . 316.Dq delayed .
317.It Cm DebianBanner
318Specifies whether the distribution-specified extra version suffix is
319included during initial protocol handshake.
320The default is
321.Dq yes .
317.It Cm DenyGroups 322.It Cm DenyGroups
318This keyword can be followed by a list of group name patterns, separated 323This keyword can be followed by a list of group name patterns, separated
319by spaces. 324by spaces.
diff --git a/version.h b/version.h
index 79af60194..2c7764677 100644
--- a/version.h
+++ b/version.h
@@ -3,8 +3,9 @@
3#define SSH_VERSION "OpenSSH_5.2" 3#define SSH_VERSION "OpenSSH_5.2"
4 4
5#define SSH_PORTABLE "p1" 5#define SSH_PORTABLE "p1"
6#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
6#ifdef SSH_EXTRAVERSION 7#ifdef SSH_EXTRAVERSION
7#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION 8#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
8#else 9#else
9#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 10#define SSH_RELEASE SSH_RELEASE_MINIMUM
10#endif 11#endif