diff options
author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 12:08:02 +0000 |
commit | 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 (patch) | |
tree | 2a59419afa18a01c9f1982fad485111e1d4fd6ac | |
parent | a4f868858c3395cacb59c58786b501317b9a3d03 (diff) |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-banner.patch
-rw-r--r-- | kex.c | 5 | ||||
-rw-r--r-- | kex.h | 2 | ||||
-rw-r--r-- | servconf.c | 9 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | sshconnect.c | 2 | ||||
-rw-r--r-- | sshd.c | 3 | ||||
-rw-r--r-- | sshd_config.5 | 5 |
7 files changed, 23 insertions, 5 deletions
@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg) | |||
1226 | */ | 1226 | */ |
1227 | int | 1227 | int |
1228 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 1228 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
1229 | const char *version_addendum) | 1229 | int debian_banner, const char *version_addendum) |
1230 | { | 1230 | { |
1231 | int remote_major, remote_minor, mismatch; | 1231 | int remote_major, remote_minor, mismatch; |
1232 | size_t len, i, n; | 1232 | size_t len, i, n; |
@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | |||
1244 | if (version_addendum != NULL && *version_addendum == '\0') | 1244 | if (version_addendum != NULL && *version_addendum == '\0') |
1245 | version_addendum = NULL; | 1245 | version_addendum = NULL; |
1246 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 1246 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
1247 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 1247 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
1248 | debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
1248 | version_addendum == NULL ? "" : " ", | 1249 | version_addendum == NULL ? "" : " ", |
1249 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 1250 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
1250 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | 1251 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); |
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *); | |||
194 | int kex_assemble_names(char **, const char *, const char *); | 194 | int kex_assemble_names(char **, const char *, const char *); |
195 | int kex_gss_names_valid(const char *); | 195 | int kex_gss_names_valid(const char *); |
196 | 196 | ||
197 | int kex_exchange_identification(struct ssh *, int, const char *); | 197 | int kex_exchange_identification(struct ssh *, int, int, const char *); |
198 | 198 | ||
199 | struct kex *kex_new(void); | 199 | struct kex *kex_new(void); |
200 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); | 200 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); |
diff --git a/servconf.c b/servconf.c index bf3cd84a4..7bbc25c2e 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options) | |||
194 | options->fingerprint_hash = -1; | 194 | options->fingerprint_hash = -1; |
195 | options->disable_forwarding = -1; | 195 | options->disable_forwarding = -1; |
196 | options->expose_userauth_info = -1; | 196 | options->expose_userauth_info = -1; |
197 | options->debian_banner = -1; | ||
197 | } | 198 | } |
198 | 199 | ||
199 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 200 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options) | |||
468 | options->expose_userauth_info = 0; | 469 | options->expose_userauth_info = 0; |
469 | if (options->sk_provider == NULL) | 470 | if (options->sk_provider == NULL) |
470 | options->sk_provider = xstrdup("internal"); | 471 | options->sk_provider = xstrdup("internal"); |
472 | if (options->debian_banner == -1) | ||
473 | options->debian_banner = 1; | ||
471 | 474 | ||
472 | assemble_algorithms(options); | 475 | assemble_algorithms(options); |
473 | 476 | ||
@@ -556,6 +559,7 @@ typedef enum { | |||
556 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 559 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
557 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 560 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
558 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, | 561 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
562 | sDebianBanner, | ||
559 | sDeprecated, sIgnore, sUnsupported | 563 | sDeprecated, sIgnore, sUnsupported |
560 | } ServerOpCodes; | 564 | } ServerOpCodes; |
561 | 565 | ||
@@ -719,6 +723,7 @@ static struct { | |||
719 | { "rdomain", sRDomain, SSHCFG_ALL }, | 723 | { "rdomain", sRDomain, SSHCFG_ALL }, |
720 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | 724 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
721 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, | 725 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, |
726 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
722 | { NULL, sBadOption, 0 } | 727 | { NULL, sBadOption, 0 } |
723 | }; | 728 | }; |
724 | 729 | ||
@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | |||
2382 | *charptr = xstrdup(arg); | 2387 | *charptr = xstrdup(arg); |
2383 | break; | 2388 | break; |
2384 | 2389 | ||
2390 | case sDebianBanner: | ||
2391 | intptr = &options->debian_banner; | ||
2392 | goto parse_flag; | ||
2393 | |||
2385 | case sDeprecated: | 2394 | case sDeprecated: |
2386 | case sIgnore: | 2395 | case sIgnore: |
2387 | case sUnsupported: | 2396 | case sUnsupported: |
diff --git a/servconf.h b/servconf.h index 3f47ea25e..3fa05fcac 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -221,6 +221,8 @@ typedef struct { | |||
221 | int expose_userauth_info; | 221 | int expose_userauth_info; |
222 | u_int64_t timing_secret; | 222 | u_int64_t timing_secret; |
223 | char *sk_provider; | 223 | char *sk_provider; |
224 | |||
225 | int debian_banner; | ||
224 | } ServerOptions; | 226 | } ServerOptions; |
225 | 227 | ||
226 | /* Information about the incoming connection as used by Match */ | 228 | /* Information about the incoming connection as used by Match */ |
diff --git a/sshconnect.c b/sshconnect.c index b796d3c8a..9f2412e0d 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, | |||
1292 | lowercase(host); | 1292 | lowercase(host); |
1293 | 1293 | ||
1294 | /* Exchange protocol version identification strings with the server. */ | 1294 | /* Exchange protocol version identification strings with the server. */ |
1295 | if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) | 1295 | if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0) |
1296 | cleanup_exit(255); /* error already logged */ | 1296 | cleanup_exit(255); /* error already logged */ |
1297 | 1297 | ||
1298 | /* Put the connection into non-blocking mode. */ | 1298 | /* Put the connection into non-blocking mode. */ |
@@ -2187,7 +2187,8 @@ main(int ac, char **av) | |||
2187 | if (!debug_flag) | 2187 | if (!debug_flag) |
2188 | alarm(options.login_grace_time); | 2188 | alarm(options.login_grace_time); |
2189 | 2189 | ||
2190 | if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) | 2190 | if (kex_exchange_identification(ssh, -1, options.debian_banner, |
2191 | options.version_addendum) != 0) | ||
2191 | cleanup_exit(255); /* error already logged */ | 2192 | cleanup_exit(255); /* error already logged */ |
2192 | 2193 | ||
2193 | ssh_packet_set_nonblocking(ssh); | 2194 | ssh_packet_set_nonblocking(ssh); |
diff --git a/sshd_config.5 b/sshd_config.5 index ebd09f891..c926f584c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -542,6 +542,11 @@ or | |||
542 | .Cm no . | 542 | .Cm no . |
543 | The default is | 543 | The default is |
544 | .Cm yes . | 544 | .Cm yes . |
545 | .It Cm DebianBanner | ||
546 | Specifies whether the distribution-specified extra version suffix is | ||
547 | included during initial protocol handshake. | ||
548 | The default is | ||
549 | .Cm yes . | ||
545 | .It Cm DenyGroups | 550 | .It Cm DenyGroups |
546 | This keyword can be followed by a list of group name patterns, separated | 551 | This keyword can be followed by a list of group name patterns, separated |
547 | by spaces. | 552 | by spaces. |