summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <kees@debian.org>2014-02-09 16:10:06 +0000
committerColin Watson <cjwatson@debian.org>2017-01-16 15:02:54 +0000
commit2a1aeb898e4214f98acc210c992d33334e6710dd (patch)
tree42378b97f0486d8c9ec8807f52e5d4918c5405ee
parentc89c88a0bcada4616262e3d7d9b165aca709927b (diff)
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
-rw-r--r--servconf.c9
-rw-r--r--servconf.h2
-rw-r--r--sshd.c3
-rw-r--r--sshd_config.55
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 49d3bdc8c..1cee3d6c2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
166 options->version_addendum = NULL; 166 options->version_addendum = NULL;
167 options->fingerprint_hash = -1; 167 options->fingerprint_hash = -1;
168 options->disable_forwarding = -1; 168 options->disable_forwarding = -1;
169 options->debian_banner = -1;
169} 170}
170 171
171/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 172/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -339,6 +340,8 @@ fill_default_server_options(ServerOptions *options)
339 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 340 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
340 if (options->disable_forwarding == -1) 341 if (options->disable_forwarding == -1)
341 options->disable_forwarding = 0; 342 options->disable_forwarding = 0;
343 if (options->debian_banner == -1)
344 options->debian_banner = 1;
342 345
343 assemble_algorithms(options); 346 assemble_algorithms(options);
344 347
@@ -425,6 +428,7 @@ typedef enum {
425 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 428 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
426 sStreamLocalBindMask, sStreamLocalBindUnlink, 429 sStreamLocalBindMask, sStreamLocalBindUnlink,
427 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 430 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
431 sDebianBanner,
428 sDeprecated, sIgnore, sUnsupported 432 sDeprecated, sIgnore, sUnsupported
429} ServerOpCodes; 433} ServerOpCodes;
430 434
@@ -577,6 +581,7 @@ static struct {
577 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, 581 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
578 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, 582 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
579 { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, 583 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
584 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
580 { NULL, sBadOption, 0 } 585 { NULL, sBadOption, 0 }
581}; 586};
582 587
@@ -1860,6 +1865,10 @@ process_server_config_line(ServerOptions *options, char *line,
1860 options->fingerprint_hash = value; 1865 options->fingerprint_hash = value;
1861 break; 1866 break;
1862 1867
1868 case sDebianBanner:
1869 intptr = &options->debian_banner;
1870 goto parse_int;
1871
1863 case sDeprecated: 1872 case sDeprecated:
1864 case sIgnore: 1873 case sIgnore:
1865 case sUnsupported: 1874 case sUnsupported:
diff --git a/servconf.h b/servconf.h
index 90dfa4c24..913a21b39 100644
--- a/servconf.h
+++ b/servconf.h
@@ -191,6 +191,8 @@ typedef struct {
191 char *auth_methods[MAX_AUTH_METHODS]; 191 char *auth_methods[MAX_AUTH_METHODS];
192 192
193 int fingerprint_hash; 193 int fingerprint_hash;
194
195 int debian_banner;
194} ServerOptions; 196} ServerOptions;
195 197
196/* Information about the incoming connection as used by Match */ 198/* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 49f3a2e52..eebf19841 100644
--- a/sshd.c
+++ b/sshd.c
@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
378 char remote_version[256]; /* Must be at least as big as buf. */ 378 char remote_version[256]; /* Must be at least as big as buf. */
379 379
380 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 380 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
381 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, 381 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
382 options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
382 *options.version_addendum == '\0' ? "" : " ", 383 *options.version_addendum == '\0' ? "" : " ",
383 options.version_addendum, newline); 384 options.version_addendum, newline);
384 385
diff --git a/sshd_config.5 b/sshd_config.5
index 283ba8896..4ea0a9c34 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -526,6 +526,11 @@ or
526.Cm no . 526.Cm no .
527The default is 527The default is
528.Cm yes . 528.Cm yes .
529.It Cm DebianBanner
530Specifies whether the distribution-specified extra version suffix is
531included during initial protocol handshake.
532The default is
533.Cm yes .
529.It Cm DenyGroups 534.It Cm DenyGroups
530This keyword can be followed by a list of group name patterns, separated 535This keyword can be followed by a list of group name patterns, separated
531by spaces. 536by spaces.