diff options
author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-10-18 12:07:21 +0100 |
commit | 6353ee79cc71ef33a0a34d2d769a5fe327f6260d (patch) | |
tree | aea45e4915495e264f5f0c42b77a4a59df700b29 | |
parent | 707144d399b9fc959a4f6be3fd8e239c208c88ff (diff) |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-06-07
Patch-Name: debian-banner.patch
-rw-r--r-- | kex.c | 5 | ||||
-rw-r--r-- | kex.h | 2 | ||||
-rw-r--r-- | servconf.c | 9 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | sshconnect.c | 2 | ||||
-rw-r--r-- | sshd.c | 2 | ||||
-rw-r--r-- | sshd_config.5 | 5 |
7 files changed, 22 insertions, 5 deletions
@@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg) | |||
1225 | */ | 1225 | */ |
1226 | int | 1226 | int |
1227 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 1227 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
1228 | const char *version_addendum) | 1228 | int debian_banner, const char *version_addendum) |
1229 | { | 1229 | { |
1230 | int remote_major, remote_minor, mismatch, oerrno = 0; | 1230 | int remote_major, remote_minor, mismatch, oerrno = 0; |
1231 | size_t len, i, n; | 1231 | size_t len, i, n; |
@@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | |||
1243 | if (version_addendum != NULL && *version_addendum == '\0') | 1243 | if (version_addendum != NULL && *version_addendum == '\0') |
1244 | version_addendum = NULL; | 1244 | version_addendum = NULL; |
1245 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 1245 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
1246 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 1246 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
1247 | debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
1247 | version_addendum == NULL ? "" : " ", | 1248 | version_addendum == NULL ? "" : " ", |
1248 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 1249 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
1249 | oerrno = errno; | 1250 | oerrno = errno; |
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *); | |||
194 | int kex_assemble_names(char **, const char *, const char *); | 194 | int kex_assemble_names(char **, const char *, const char *); |
195 | int kex_gss_names_valid(const char *); | 195 | int kex_gss_names_valid(const char *); |
196 | 196 | ||
197 | int kex_exchange_identification(struct ssh *, int, const char *); | 197 | int kex_exchange_identification(struct ssh *, int, int, const char *); |
198 | 198 | ||
199 | struct kex *kex_new(void); | 199 | struct kex *kex_new(void); |
200 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); | 200 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); |
diff --git a/servconf.c b/servconf.c index 21abe41ac..f9eb778d6 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options) | |||
195 | options->fingerprint_hash = -1; | 195 | options->fingerprint_hash = -1; |
196 | options->disable_forwarding = -1; | 196 | options->disable_forwarding = -1; |
197 | options->expose_userauth_info = -1; | 197 | options->expose_userauth_info = -1; |
198 | options->debian_banner = -1; | ||
198 | } | 199 | } |
199 | 200 | ||
200 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 201 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
@@ -469,6 +470,8 @@ fill_default_server_options(ServerOptions *options) | |||
469 | options->expose_userauth_info = 0; | 470 | options->expose_userauth_info = 0; |
470 | if (options->sk_provider == NULL) | 471 | if (options->sk_provider == NULL) |
471 | options->sk_provider = xstrdup("internal"); | 472 | options->sk_provider = xstrdup("internal"); |
473 | if (options->debian_banner == -1) | ||
474 | options->debian_banner = 1; | ||
472 | 475 | ||
473 | assemble_algorithms(options); | 476 | assemble_algorithms(options); |
474 | 477 | ||
@@ -548,6 +551,7 @@ typedef enum { | |||
548 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 551 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
549 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 552 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
550 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, | 553 | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
554 | sDebianBanner, | ||
551 | sDeprecated, sIgnore, sUnsupported | 555 | sDeprecated, sIgnore, sUnsupported |
552 | } ServerOpCodes; | 556 | } ServerOpCodes; |
553 | 557 | ||
@@ -712,6 +716,7 @@ static struct { | |||
712 | { "rdomain", sRDomain, SSHCFG_ALL }, | 716 | { "rdomain", sRDomain, SSHCFG_ALL }, |
713 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | 717 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
714 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, | 718 | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, |
719 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
715 | { NULL, sBadOption, 0 } | 720 | { NULL, sBadOption, 0 } |
716 | }; | 721 | }; |
717 | 722 | ||
@@ -2402,6 +2407,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, | |||
2402 | *charptr = xstrdup(arg); | 2407 | *charptr = xstrdup(arg); |
2403 | break; | 2408 | break; |
2404 | 2409 | ||
2410 | case sDebianBanner: | ||
2411 | intptr = &options->debian_banner; | ||
2412 | goto parse_flag; | ||
2413 | |||
2405 | case sDeprecated: | 2414 | case sDeprecated: |
2406 | case sIgnore: | 2415 | case sIgnore: |
2407 | case sUnsupported: | 2416 | case sUnsupported: |
diff --git a/servconf.h b/servconf.h index f10908e5b..4afdf24d0 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -227,6 +227,8 @@ typedef struct { | |||
227 | int expose_userauth_info; | 227 | int expose_userauth_info; |
228 | u_int64_t timing_secret; | 228 | u_int64_t timing_secret; |
229 | char *sk_provider; | 229 | char *sk_provider; |
230 | |||
231 | int debian_banner; | ||
230 | } ServerOptions; | 232 | } ServerOptions; |
231 | 233 | ||
232 | /* Information about the incoming connection as used by Match */ | 234 | /* Information about the incoming connection as used by Match */ |
diff --git a/sshconnect.c b/sshconnect.c index 3ae20b74e..bab3916d8 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -1296,7 +1296,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, | |||
1296 | lowercase(host); | 1296 | lowercase(host); |
1297 | 1297 | ||
1298 | /* Exchange protocol version identification strings with the server. */ | 1298 | /* Exchange protocol version identification strings with the server. */ |
1299 | if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) | 1299 | if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0) |
1300 | sshpkt_fatal(ssh, r, "banner exchange"); | 1300 | sshpkt_fatal(ssh, r, "banner exchange"); |
1301 | 1301 | ||
1302 | /* Put the connection into non-blocking mode. */ | 1302 | /* Put the connection into non-blocking mode. */ |
@@ -2232,7 +2232,7 @@ main(int ac, char **av) | |||
2232 | if (!debug_flag) | 2232 | if (!debug_flag) |
2233 | alarm(options.login_grace_time); | 2233 | alarm(options.login_grace_time); |
2234 | 2234 | ||
2235 | if ((r = kex_exchange_identification(ssh, -1, | 2235 | if ((r = kex_exchange_identification(ssh, -1, options.debian_banner, |
2236 | options.version_addendum)) != 0) | 2236 | options.version_addendum)) != 0) |
2237 | sshpkt_fatal(ssh, r, "banner exchange"); | 2237 | sshpkt_fatal(ssh, r, "banner exchange"); |
2238 | 2238 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 6457620bb..33dc0c675 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -540,6 +540,11 @@ or | |||
540 | .Cm no . | 540 | .Cm no . |
541 | The default is | 541 | The default is |
542 | .Cm yes . | 542 | .Cm yes . |
543 | .It Cm DebianBanner | ||
544 | Specifies whether the distribution-specified extra version suffix is | ||
545 | included during initial protocol handshake. | ||
546 | The default is | ||
547 | .Cm yes . | ||
543 | .It Cm DenyGroups | 548 | .It Cm DenyGroups |
544 | This keyword can be followed by a list of group name patterns, separated | 549 | This keyword can be followed by a list of group name patterns, separated |
545 | by spaces. | 550 | by spaces. |