summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <kees@debian.org>2014-02-09 16:10:06 +0000
committerColin Watson <cjwatson@debian.org>2015-09-17 13:52:40 +0100
commit79b8c11f2b7a8258dee45e8f10ee58d0f4e48340 (patch)
tree4b8d26b00917eee2ea167468f0075fa0df2ab730
parent6de10ec1ff53c5b52621244b66cae91df3901fa2 (diff)
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-banner.patch
-rw-r--r--servconf.c9
-rw-r--r--servconf.h2
-rw-r--r--sshd.c3
-rw-r--r--sshd_config.55
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 8a5bd7b3e..fe3e31157 100644
--- a/servconf.c
+++ b/servconf.c
@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options)
169 options->ip_qos_bulk = -1; 169 options->ip_qos_bulk = -1;
170 options->version_addendum = NULL; 170 options->version_addendum = NULL;
171 options->fingerprint_hash = -1; 171 options->fingerprint_hash = -1;
172 options->debian_banner = -1;
172} 173}
173 174
174/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 175/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options)
347 options->fwd_opts.streamlocal_bind_unlink = 0; 348 options->fwd_opts.streamlocal_bind_unlink = 0;
348 if (options->fingerprint_hash == -1) 349 if (options->fingerprint_hash == -1)
349 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 350 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
351 if (options->debian_banner == -1)
352 options->debian_banner = 1;
350 /* Turn privilege separation on by default */ 353 /* Turn privilege separation on by default */
351 if (use_privsep == -1) 354 if (use_privsep == -1)
352 use_privsep = PRIVSEP_NOSANDBOX; 355 use_privsep = PRIVSEP_NOSANDBOX;
@@ -419,6 +422,7 @@ typedef enum {
419 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 422 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
420 sStreamLocalBindMask, sStreamLocalBindUnlink, 423 sStreamLocalBindMask, sStreamLocalBindUnlink,
421 sAllowStreamLocalForwarding, sFingerprintHash, 424 sAllowStreamLocalForwarding, sFingerprintHash,
425 sDebianBanner,
422 sDeprecated, sUnsupported 426 sDeprecated, sUnsupported
423} ServerOpCodes; 427} ServerOpCodes;
424 428
@@ -565,6 +569,7 @@ static struct {
565 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, 569 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
566 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 570 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
567 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 571 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
572 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
568 { NULL, sBadOption, 0 } 573 { NULL, sBadOption, 0 }
569}; 574};
570 575
@@ -1850,6 +1855,10 @@ process_server_config_line(ServerOptions *options, char *line,
1850 options->fingerprint_hash = value; 1855 options->fingerprint_hash = value;
1851 break; 1856 break;
1852 1857
1858 case sDebianBanner:
1859 intptr = &options->debian_banner;
1860 goto parse_int;
1861
1853 case sDeprecated: 1862 case sDeprecated:
1854 logit("%s line %d: Deprecated option %s", 1863 logit("%s line %d: Deprecated option %s",
1855 filename, linenum, arg); 1864 filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index b99b27067..ba7b73947 100644
--- a/servconf.h
+++ b/servconf.h
@@ -196,6 +196,8 @@ typedef struct {
196 char *auth_methods[MAX_AUTH_METHODS]; 196 char *auth_methods[MAX_AUTH_METHODS];
197 197
198 int fingerprint_hash; 198 int fingerprint_hash;
199
200 int debian_banner;
199} ServerOptions; 201} ServerOptions;
200 202
201/* Information about the incoming connection as used by Match */ 203/* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 96e75c6d7..7886d0eac 100644
--- a/sshd.c
+++ b/sshd.c
@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
442 } 442 }
443 443
444 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 444 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
445 major, minor, SSH_RELEASE, 445 major, minor,
446 options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
446 *options.version_addendum == '\0' ? "" : " ", 447 *options.version_addendum == '\0' ? "" : " ",
447 options.version_addendum, newline); 448 options.version_addendum, newline);
448 449
diff --git a/sshd_config.5 b/sshd_config.5
index 1269bbd40..a5afbc37e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -528,6 +528,11 @@ or
528.Dq no . 528.Dq no .
529The default is 529The default is
530.Dq delayed . 530.Dq delayed .
531.It Cm DebianBanner
532Specifies whether the distribution-specified extra version suffix is
533included during initial protocol handshake.
534The default is
535.Dq yes .
531.It Cm DenyGroups 536.It Cm DenyGroups
532This keyword can be followed by a list of group name patterns, separated 537This keyword can be followed by a list of group name patterns, separated
533by spaces. 538by spaces.