Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
author: Kees Cook <kees@debian.org> 2014-02-09 16:10:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-19 16:40:06 +0000
commit: 75e44c43679e8b888b7ef55ce7abe432eb57ef1c (patch)
tree: 73db865971fcd71d6f3fc9ae5770a01248afb78c
parent: 07b738d2bf93a5e3c57ab242b666a5f58484c7a3 (diff)
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 65f71ade8..63ff4ffbc 100644
--- a/servconf.c
+++ b/servconf.c
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
+        options->debian_banner = -1;
 }
 void
@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -362,6 +365,7 @@ typedef enum {
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
        sAuthenticationMethods, sHostKeyAgent,
+        sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -504,6 +508,7 @@ static struct {
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -1666,6 +1671,10 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_int;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index eba76ee1d..98d68ceaf 100644
--- a/servconf.h
+++ b/servconf.h
@@ -188,6 +188,8 @@ typedef struct {
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
+        int     debian_banner;
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 82168a186..c49a87773 100644
--- a/sshd.c
+++ b/sshd.c
@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-            major, minor, SSH_RELEASE,
+            major, minor,
+            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
            *options.version_addendum == '\0' ? "" : " ",
            options.version_addendum, newline);
diff --git a/sshd_config.5 b/sshd_config.5
index 39643deb1..bdca79724 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -413,6 +413,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
author	Kees Cook <kees@debian.org>	2014-02-09 16:10:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-19 16:40:06 +0000
commit	75e44c43679e8b888b7ef55ce7abe432eb57ef1c (patch)
tree	73db865971fcd71d6f3fc9ae5770a01248afb78c
parent	07b738d2bf93a5e3c57ab242b666a5f58484c7a3 (diff)