diff options
| author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:21 +0100 |
| commit | 114c8a8fb488cbe39507edb75c51198a4b9e8b24 (patch) | |
| tree | 7acc2667122984f8fa6565853bb747e8328558ec | |
| parent | 8679c96f74ee7dbea6c15c764b036fbab7372740 (diff) | |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: debian-banner.patch
| -rw-r--r-- | servconf.c | 9 | ||||
| -rw-r--r-- | servconf.h | 2 | ||||
| -rw-r--r-- | sshd.c | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index a25248782..6c7741ab2 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options) | |||
| 160 | options->ip_qos_interactive = -1; | 160 | options->ip_qos_interactive = -1; |
| 161 | options->ip_qos_bulk = -1; | 161 | options->ip_qos_bulk = -1; |
| 162 | options->version_addendum = NULL; | 162 | options->version_addendum = NULL; |
| 163 | options->debian_banner = -1; | ||
| 163 | } | 164 | } |
| 164 | 165 | ||
| 165 | void | 166 | void |
| @@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 321 | options->fwd_opts.streamlocal_bind_mask = 0177; | 322 | options->fwd_opts.streamlocal_bind_mask = 0177; |
| 322 | if (options->fwd_opts.streamlocal_bind_unlink == -1) | 323 | if (options->fwd_opts.streamlocal_bind_unlink == -1) |
| 323 | options->fwd_opts.streamlocal_bind_unlink = 0; | 324 | options->fwd_opts.streamlocal_bind_unlink = 0; |
| 325 | if (options->debian_banner == -1) | ||
| 326 | options->debian_banner = 1; | ||
| 324 | /* Turn privilege separation on by default */ | 327 | /* Turn privilege separation on by default */ |
| 325 | if (use_privsep == -1) | 328 | if (use_privsep == -1) |
| 326 | use_privsep = PRIVSEP_NOSANDBOX; | 329 | use_privsep = PRIVSEP_NOSANDBOX; |
| @@ -373,6 +376,7 @@ typedef enum { | |||
| 373 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 376 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
| 374 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 377 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
| 375 | sAllowStreamLocalForwarding, | 378 | sAllowStreamLocalForwarding, |
| 379 | sDebianBanner, | ||
| 376 | sDeprecated, sUnsupported | 380 | sDeprecated, sUnsupported |
| 377 | } ServerOpCodes; | 381 | } ServerOpCodes; |
| 378 | 382 | ||
| @@ -514,6 +518,7 @@ static struct { | |||
| 514 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, | 518 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, |
| 515 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | 519 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
| 516 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 520 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
| 521 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
| 517 | { NULL, sBadOption, 0 } | 522 | { NULL, sBadOption, 0 } |
| 518 | }; | 523 | }; |
| 519 | 524 | ||
| @@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1697 | intptr = &options->fwd_opts.streamlocal_bind_unlink; | 1702 | intptr = &options->fwd_opts.streamlocal_bind_unlink; |
| 1698 | goto parse_flag; | 1703 | goto parse_flag; |
| 1699 | 1704 | ||
| 1705 | case sDebianBanner: | ||
| 1706 | intptr = &options->debian_banner; | ||
| 1707 | goto parse_int; | ||
| 1708 | |||
| 1700 | case sDeprecated: | 1709 | case sDeprecated: |
| 1701 | logit("%s line %d: Deprecated option %s", | 1710 | logit("%s line %d: Deprecated option %s", |
| 1702 | filename, linenum, arg); | 1711 | filename, linenum, arg); |
diff --git a/servconf.h b/servconf.h index f8265a8c8..fa48804ec 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -188,6 +188,8 @@ typedef struct { | |||
| 188 | 188 | ||
| 189 | u_int num_auth_methods; | 189 | u_int num_auth_methods; |
| 190 | char *auth_methods[MAX_AUTH_METHODS]; | 190 | char *auth_methods[MAX_AUTH_METHODS]; |
| 191 | |||
| 192 | int debian_banner; | ||
| 191 | } ServerOptions; | 193 | } ServerOptions; |
| 192 | 194 | ||
| 193 | /* Information about the incoming connection as used by Match */ | 195 | /* Information about the incoming connection as used by Match */ |
| @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 443 | } | 443 | } |
| 444 | 444 | ||
| 445 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 445 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
| 446 | major, minor, SSH_RELEASE, | 446 | major, minor, |
| 447 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
| 447 | *options.version_addendum == '\0' ? "" : " ", | 448 | *options.version_addendum == '\0' ? "" : " ", |
| 448 | options.version_addendum, newline); | 449 | options.version_addendum, newline); |
| 449 | 450 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 2843048f1..58997d3fe 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -447,6 +447,11 @@ or | |||
| 447 | .Dq no . | 447 | .Dq no . |
| 448 | The default is | 448 | The default is |
| 449 | .Dq delayed . | 449 | .Dq delayed . |
| 450 | .It Cm DebianBanner | ||
| 451 | Specifies whether the distribution-specified extra version suffix is | ||
| 452 | included during initial protocol handshake. | ||
| 453 | The default is | ||
| 454 | .Dq yes . | ||
| 450 | .It Cm DenyGroups | 455 | .It Cm DenyGroups |
| 451 | This keyword can be followed by a list of group name patterns, separated | 456 | This keyword can be followed by a list of group name patterns, separated |
| 452 | by spaces. | 457 | by spaces. |