diff options
author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 23:43:41 +0000 |
commit | e1e1e23ca98c59a031217da0ea50b70de5427683 (patch) | |
tree | c654229a31850cdb0b2ac46ca1366deca9b410b5 | |
parent | 893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 (diff) |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: debian-banner.patch
-rw-r--r-- | servconf.c | 9 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | sshd.c | 3 | ||||
-rw-r--r-- | sshd_config.5 | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index dcb8cafdc..802db1d79 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) | |||
156 | options->ip_qos_interactive = -1; | 156 | options->ip_qos_interactive = -1; |
157 | options->ip_qos_bulk = -1; | 157 | options->ip_qos_bulk = -1; |
158 | options->version_addendum = NULL; | 158 | options->version_addendum = NULL; |
159 | options->debian_banner = -1; | ||
159 | } | 160 | } |
160 | 161 | ||
161 | void | 162 | void |
@@ -307,6 +308,8 @@ fill_default_server_options(ServerOptions *options) | |||
307 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 308 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
308 | if (options->version_addendum == NULL) | 309 | if (options->version_addendum == NULL) |
309 | options->version_addendum = xstrdup(""); | 310 | options->version_addendum = xstrdup(""); |
311 | if (options->debian_banner == -1) | ||
312 | options->debian_banner = 1; | ||
310 | /* Turn privilege separation on by default */ | 313 | /* Turn privilege separation on by default */ |
311 | if (use_privsep == -1) | 314 | if (use_privsep == -1) |
312 | use_privsep = PRIVSEP_NOSANDBOX; | 315 | use_privsep = PRIVSEP_NOSANDBOX; |
@@ -357,6 +360,7 @@ typedef enum { | |||
357 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 360 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
358 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 361 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
359 | sAuthenticationMethods, sHostKeyAgent, | 362 | sAuthenticationMethods, sHostKeyAgent, |
363 | sDebianBanner, | ||
360 | sDeprecated, sUnsupported | 364 | sDeprecated, sUnsupported |
361 | } ServerOpCodes; | 365 | } ServerOpCodes; |
362 | 366 | ||
@@ -498,6 +502,7 @@ static struct { | |||
498 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 502 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
499 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 503 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
500 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 504 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
505 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
501 | { NULL, sBadOption, 0 } | 506 | { NULL, sBadOption, 0 } |
502 | }; | 507 | }; |
503 | 508 | ||
@@ -1641,6 +1646,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1641 | } | 1646 | } |
1642 | return 0; | 1647 | return 0; |
1643 | 1648 | ||
1649 | case sDebianBanner: | ||
1650 | intptr = &options->debian_banner; | ||
1651 | goto parse_int; | ||
1652 | |||
1644 | case sDeprecated: | 1653 | case sDeprecated: |
1645 | logit("%s line %d: Deprecated option %s", | 1654 | logit("%s line %d: Deprecated option %s", |
1646 | filename, linenum, arg); | 1655 | filename, linenum, arg); |
diff --git a/servconf.h b/servconf.h index ab6e34669..1891a95a1 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -187,6 +187,8 @@ typedef struct { | |||
187 | 187 | ||
188 | u_int num_auth_methods; | 188 | u_int num_auth_methods; |
189 | char *auth_methods[MAX_AUTH_METHODS]; | 189 | char *auth_methods[MAX_AUTH_METHODS]; |
190 | |||
191 | int debian_banner; | ||
190 | } ServerOptions; | 192 | } ServerOptions; |
191 | 193 | ||
192 | /* Information about the incoming connection as used by Match */ | 194 | /* Information about the incoming connection as used by Match */ |
@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
440 | } | 440 | } |
441 | 441 | ||
442 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 442 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
443 | major, minor, SSH_RELEASE, | 443 | major, minor, |
444 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
444 | *options.version_addendum == '\0' ? "" : " ", | 445 | *options.version_addendum == '\0' ? "" : " ", |
445 | options.version_addendum, newline); | 446 | options.version_addendum, newline); |
446 | 447 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index e29604ad5..50eec53ab 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -404,6 +404,11 @@ or | |||
404 | .Dq no . | 404 | .Dq no . |
405 | The default is | 405 | The default is |
406 | .Dq delayed . | 406 | .Dq delayed . |
407 | .It Cm DebianBanner | ||
408 | Specifies whether the distribution-specified extra version suffix is | ||
409 | included during initial protocol handshake. | ||
410 | The default is | ||
411 | .Dq yes . | ||
407 | .It Cm DenyGroups | 412 | .It Cm DenyGroups |
408 | This keyword can be followed by a list of group name patterns, separated | 413 | This keyword can be followed by a list of group name patterns, separated |
409 | by spaces. | 414 | by spaces. |