summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <kees@debian.org>2014-02-09 16:10:06 +0000
committerColin Watson <cjwatson@debian.org>2020-02-21 12:08:02 +0000
commit7d20d00ea24ec0c3fffacc80ab271d0699d198c6 (patch)
tree2a59419afa18a01c9f1982fad485111e1d4fd6ac
parenta4f868858c3395cacb59c58786b501317b9a3d03 (diff)
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-banner.patch
-rw-r--r--kex.c5
-rw-r--r--kex.h2
-rw-r--r--servconf.c9
-rw-r--r--servconf.h2
-rw-r--r--sshconnect.c2
-rw-r--r--sshd.c3
-rw-r--r--sshd_config.55
7 files changed, 23 insertions, 5 deletions
diff --git a/kex.c b/kex.c
index f638942d3..2abfbb95a 100644
--- a/kex.c
+++ b/kex.c
@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
1226 */ 1226 */
1227int 1227int
1228kex_exchange_identification(struct ssh *ssh, int timeout_ms, 1228kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1229 const char *version_addendum) 1229 int debian_banner, const char *version_addendum)
1230{ 1230{
1231 int remote_major, remote_minor, mismatch; 1231 int remote_major, remote_minor, mismatch;
1232 size_t len, i, n; 1232 size_t len, i, n;
@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
1244 if (version_addendum != NULL && *version_addendum == '\0') 1244 if (version_addendum != NULL && *version_addendum == '\0')
1245 version_addendum = NULL; 1245 version_addendum = NULL;
1246 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", 1246 if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
1247 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, 1247 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
1248 debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
1248 version_addendum == NULL ? "" : " ", 1249 version_addendum == NULL ? "" : " ",
1249 version_addendum == NULL ? "" : version_addendum)) != 0) { 1250 version_addendum == NULL ? "" : version_addendum)) != 0) {
1250 error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 1251 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/kex.h b/kex.h
index fe7141414..938dca03b 100644
--- a/kex.h
+++ b/kex.h
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
194int kex_assemble_names(char **, const char *, const char *); 194int kex_assemble_names(char **, const char *, const char *);
195int kex_gss_names_valid(const char *); 195int kex_gss_names_valid(const char *);
196 196
197int kex_exchange_identification(struct ssh *, int, const char *); 197int kex_exchange_identification(struct ssh *, int, int, const char *);
198 198
199struct kex *kex_new(void); 199struct kex *kex_new(void);
200int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); 200int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index bf3cd84a4..7bbc25c2e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
194 options->fingerprint_hash = -1; 194 options->fingerprint_hash = -1;
195 options->disable_forwarding = -1; 195 options->disable_forwarding = -1;
196 options->expose_userauth_info = -1; 196 options->expose_userauth_info = -1;
197 options->debian_banner = -1;
197} 198}
198 199
199/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 200/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
468 options->expose_userauth_info = 0; 469 options->expose_userauth_info = 0;
469 if (options->sk_provider == NULL) 470 if (options->sk_provider == NULL)
470 options->sk_provider = xstrdup("internal"); 471 options->sk_provider = xstrdup("internal");
472 if (options->debian_banner == -1)
473 options->debian_banner = 1;
471 474
472 assemble_algorithms(options); 475 assemble_algorithms(options);
473 476
@@ -556,6 +559,7 @@ typedef enum {
556 sStreamLocalBindMask, sStreamLocalBindUnlink, 559 sStreamLocalBindMask, sStreamLocalBindUnlink,
557 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 560 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
558 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, 561 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
562 sDebianBanner,
559 sDeprecated, sIgnore, sUnsupported 563 sDeprecated, sIgnore, sUnsupported
560} ServerOpCodes; 564} ServerOpCodes;
561 565
@@ -719,6 +723,7 @@ static struct {
719 { "rdomain", sRDomain, SSHCFG_ALL }, 723 { "rdomain", sRDomain, SSHCFG_ALL },
720 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 724 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
721 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, 725 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
726 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
722 { NULL, sBadOption, 0 } 727 { NULL, sBadOption, 0 }
723}; 728};
724 729
@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
2382 *charptr = xstrdup(arg); 2387 *charptr = xstrdup(arg);
2383 break; 2388 break;
2384 2389
2390 case sDebianBanner:
2391 intptr = &options->debian_banner;
2392 goto parse_flag;
2393
2385 case sDeprecated: 2394 case sDeprecated:
2386 case sIgnore: 2395 case sIgnore:
2387 case sUnsupported: 2396 case sUnsupported:
diff --git a/servconf.h b/servconf.h
index 3f47ea25e..3fa05fcac 100644
--- a/servconf.h
+++ b/servconf.h
@@ -221,6 +221,8 @@ typedef struct {
221 int expose_userauth_info; 221 int expose_userauth_info;
222 u_int64_t timing_secret; 222 u_int64_t timing_secret;
223 char *sk_provider; 223 char *sk_provider;
224
225 int debian_banner;
224} ServerOptions; 226} ServerOptions;
225 227
226/* Information about the incoming connection as used by Match */ 228/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index b796d3c8a..9f2412e0d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
1292 lowercase(host); 1292 lowercase(host);
1293 1293
1294 /* Exchange protocol version identification strings with the server. */ 1294 /* Exchange protocol version identification strings with the server. */
1295 if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) 1295 if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
1296 cleanup_exit(255); /* error already logged */ 1296 cleanup_exit(255); /* error already logged */
1297 1297
1298 /* Put the connection into non-blocking mode. */ 1298 /* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
index 65916fc6d..da876a900 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2187,7 +2187,8 @@ main(int ac, char **av)
2187 if (!debug_flag) 2187 if (!debug_flag)
2188 alarm(options.login_grace_time); 2188 alarm(options.login_grace_time);
2189 2189
2190 if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) 2190 if (kex_exchange_identification(ssh, -1, options.debian_banner,
2191 options.version_addendum) != 0)
2191 cleanup_exit(255); /* error already logged */ 2192 cleanup_exit(255); /* error already logged */
2192 2193
2193 ssh_packet_set_nonblocking(ssh); 2194 ssh_packet_set_nonblocking(ssh);
diff --git a/sshd_config.5 b/sshd_config.5
index ebd09f891..c926f584c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -542,6 +542,11 @@ or
542.Cm no . 542.Cm no .
543The default is 543The default is
544.Cm yes . 544.Cm yes .
545.It Cm DebianBanner
546Specifies whether the distribution-specified extra version suffix is
547included during initial protocol handshake.
548The default is
549.Cm yes .
545.It Cm DenyGroups 550.It Cm DenyGroups
546This keyword can be followed by a list of group name patterns, separated 551This keyword can be followed by a list of group name patterns, separated
547by spaces. 552by spaces.