Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
author: Kees Cook <kees@debian.org> 2014-02-09 16:10:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 16:18:49 +0000
commit: 8a75df792931443e868e574408ed1666208a28c2 (patch)
tree: ed0e6736ececb28ef92b391d212987cc03f770b0
parent: da3ff9786c4c03b2aac4936b28f06b3c152e230d (diff)
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 9155a8b70..a2928ff57 100644
--- a/servconf.c
+++ b/servconf.c
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
+        options->debian_banner = -1;
 }
 void
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -360,6 +363,7 @@ typedef enum {
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
        sAuthenticationMethods, sHostKeyAgent,
+        sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -501,6 +505,7 @@ static struct {
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -1648,6 +1653,10 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_int;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index f655c5bf7..fd72ce2a3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -188,6 +188,8 @@ typedef struct {
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
+        int     debian_banner;
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 7efa7ef9e..6b988fe2e 100644
--- a/sshd.c
+++ b/sshd.c
@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-            major, minor, SSH_RELEASE,
+            major, minor,
+            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
            *options.version_addendum == '\0' ? "" : " ",
            options.version_addendum, newline);
diff --git a/sshd_config.5 b/sshd_config.5
index 510cc7cb2..eaf8d01a2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -404,6 +404,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
author	Kees Cook <kees@debian.org>	2014-02-09 16:10:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 16:18:49 +0000
commit	8a75df792931443e868e574408ed1666208a28c2 (patch)
tree	ed0e6736ececb28ef92b391d212987cc03f770b0
parent	da3ff9786c4c03b2aac4936b28f06b3c152e230d (diff)