Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2020-06-07 Patch-Name: debian-banner.patch
author: Kees Cook <kees@debian.org> 2014-02-09 16:10:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2020-06-07 10:25:35 +0100
commit: 90c1c8771b61dd3ee0eacb4e1cfac404dc42f4b0 (patch)
tree: 7c28a64bbe2c91e1381e2f36dc96e39c4ba36212
parent: d66c30698f807ab95aee7ea4a882c192884df047 (diff)
7 files changed, 22 insertions, 5 deletions
diff --git a/kex.c b/kex.c
index 0e64bf760..aa5acaac3 100644
--- a/kex.c
+++ b/kex.c
@@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg)
 */
 int
 kex_exchange_identification(struct ssh *ssh, int timeout_ms,
-    const char *version_addendum)
+    int debian_banner, const char *version_addendum)
 {
        int remote_major, remote_minor, mismatch, oerrno = 0;
        size_t len, i, n;
@@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
        if (version_addendum != NULL && *version_addendum == '\0')
                version_addendum = NULL;
        if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+            debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
            version_addendum == NULL ? "" : " ",
            version_addendum == NULL ? "" : version_addendum)) != 0) {
                oerrno = errno;
diff --git a/kex.h b/kex.h
index fe7141414..938dca03b 100644
--- a/kex.h
+++ b/kex.h
@@ -194,7 +194,7 @@ char	*kex_names_cat(const char *, const char *);
 int      kex_assemble_names(char **, const char *, const char *);
 int      kex_gss_names_valid(const char *);
-int      kex_exchange_identification(struct ssh *, int, const char *);
+int      kex_exchange_identification(struct ssh *, int, int, const char *);
 struct kex *kex_new(void);
 int      kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index ff5b9436c..cf4e52f3b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
        options->fingerprint_hash = -1;
        options->disable_forwarding = -1;
        options->expose_userauth_info = -1;
+        options->debian_banner = -1;
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
                options->expose_userauth_info = 0;
        if (options->sk_provider == NULL)
                options->sk_provider = xstrdup("internal");
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
        assemble_algorithms(options);
@@ -556,6 +559,7 @@ typedef enum {
        sStreamLocalBindMask, sStreamLocalBindUnlink,
        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
        sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+        sDebianBanner,
        sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
@@ -719,6 +723,7 @@ static struct {
        { "rdomain", sRDomain, SSHCFG_ALL },
        { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
        { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -2393,6 +2398,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                        *charptr = xstrdup(arg);
                break;
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_flag;
        case sDeprecated:
        case sIgnore:
        case sUnsupported:
diff --git a/servconf.h b/servconf.h
index 253cad97e..5a2b60512 100644
--- a/servconf.h
+++ b/servconf.h
@@ -226,6 +226,8 @@ typedef struct {
        int     expose_userauth_info;
        u_int64_t timing_secret;
        char   *sk_provider;
+        int     debian_banner;
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index f20d3e792..1e5b8ea5a 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1293,7 +1293,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
        lowercase(host);
        /* Exchange protocol version identification strings with the server. */
-        if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+        if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0)
                sshpkt_fatal(ssh, r, "banner exchange");
        /* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
index e8b332ca4..baee13506 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2181,7 +2181,7 @@ main(int ac, char **av)
        if (!debug_flag)
                alarm(options.login_grace_time);
-        if ((r = kex_exchange_identification(ssh, -1,
+        if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
            options.version_addendum)) != 0)
                sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
index 9f093be1f..753ceda10 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -540,6 +540,11 @@ or
 .Cm no .
 The default is
 .Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
author	Kees Cook <kees@debian.org>	2014-02-09 16:10:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2020-06-07 10:25:35 +0100
commit	90c1c8771b61dd3ee0eacb4e1cfac404dc42f4b0 (patch)
tree	7c28a64bbe2c91e1381e2f36dc96e39c4ba36212
parent	d66c30698f807ab95aee7ea4a882c192884df047 (diff)