Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
author: Kees Cook <kees@debian.org> 2014-02-09 16:10:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-09 23:43:41 +0000
commit: e1e1e23ca98c59a031217da0ea50b70de5427683 (patch)
tree: c654229a31850cdb0b2ac46ca1366deca9b410b5
parent: 893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 (diff)
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index dcb8cafdc..802db1d79 100644
--- a/servconf.c
+++ b/servconf.c
@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options)
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
+        options->debian_banner = -1;
 }
 void
@@ -307,6 +308,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -357,6 +360,7 @@ typedef enum {
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
        sAuthenticationMethods, sHostKeyAgent,
+        sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -498,6 +502,7 @@ static struct {
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -1641,6 +1646,10 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_int;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index ab6e34669..1891a95a1 100644
--- a/servconf.h
+++ b/servconf.h
@@ -187,6 +187,8 @@ typedef struct {
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
+        int     debian_banner;
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 46ec1a715..63b935782 100644
--- a/sshd.c
+++ b/sshd.c
@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-            major, minor, SSH_RELEASE,
+            major, minor,
+            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
            *options.version_addendum == '\0' ? "" : " ",
            options.version_addendum, newline);
diff --git a/sshd_config.5 b/sshd_config.5
index e29604ad5..50eec53ab 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -404,6 +404,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
author	Kees Cook <kees@debian.org>	2014-02-09 16:10:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-09 23:43:41 +0000
commit	e1e1e23ca98c59a031217da0ea50b70de5427683 (patch)
tree	c654229a31850cdb0b2ac46ca1366deca9b410b5
parent	893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 (diff)