diff options
author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 15:02:54 +0000 |
commit | 2a1aeb898e4214f98acc210c992d33334e6710dd (patch) | |
tree | 42378b97f0486d8c9ec8807f52e5d4918c5405ee | |
parent | c89c88a0bcada4616262e3d7d9b165aca709927b (diff) |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-11-29
Patch-Name: debian-banner.patch
-rw-r--r-- | servconf.c | 9 | ||||
-rw-r--r-- | servconf.h | 2 | ||||
-rw-r--r-- | sshd.c | 3 | ||||
-rw-r--r-- | sshd_config.5 | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 49d3bdc8c..1cee3d6c2 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options) | |||
166 | options->version_addendum = NULL; | 166 | options->version_addendum = NULL; |
167 | options->fingerprint_hash = -1; | 167 | options->fingerprint_hash = -1; |
168 | options->disable_forwarding = -1; | 168 | options->disable_forwarding = -1; |
169 | options->debian_banner = -1; | ||
169 | } | 170 | } |
170 | 171 | ||
171 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 172 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
@@ -339,6 +340,8 @@ fill_default_server_options(ServerOptions *options) | |||
339 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 340 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
340 | if (options->disable_forwarding == -1) | 341 | if (options->disable_forwarding == -1) |
341 | options->disable_forwarding = 0; | 342 | options->disable_forwarding = 0; |
343 | if (options->debian_banner == -1) | ||
344 | options->debian_banner = 1; | ||
342 | 345 | ||
343 | assemble_algorithms(options); | 346 | assemble_algorithms(options); |
344 | 347 | ||
@@ -425,6 +428,7 @@ typedef enum { | |||
425 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 428 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
426 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 429 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
427 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 430 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
431 | sDebianBanner, | ||
428 | sDeprecated, sIgnore, sUnsupported | 432 | sDeprecated, sIgnore, sUnsupported |
429 | } ServerOpCodes; | 433 | } ServerOpCodes; |
430 | 434 | ||
@@ -577,6 +581,7 @@ static struct { | |||
577 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 581 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
578 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 582 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
579 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | 583 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
584 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
580 | { NULL, sBadOption, 0 } | 585 | { NULL, sBadOption, 0 } |
581 | }; | 586 | }; |
582 | 587 | ||
@@ -1860,6 +1865,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1860 | options->fingerprint_hash = value; | 1865 | options->fingerprint_hash = value; |
1861 | break; | 1866 | break; |
1862 | 1867 | ||
1868 | case sDebianBanner: | ||
1869 | intptr = &options->debian_banner; | ||
1870 | goto parse_int; | ||
1871 | |||
1863 | case sDeprecated: | 1872 | case sDeprecated: |
1864 | case sIgnore: | 1873 | case sIgnore: |
1865 | case sUnsupported: | 1874 | case sUnsupported: |
diff --git a/servconf.h b/servconf.h index 90dfa4c24..913a21b39 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -191,6 +191,8 @@ typedef struct { | |||
191 | char *auth_methods[MAX_AUTH_METHODS]; | 191 | char *auth_methods[MAX_AUTH_METHODS]; |
192 | 192 | ||
193 | int fingerprint_hash; | 193 | int fingerprint_hash; |
194 | |||
195 | int debian_banner; | ||
194 | } ServerOptions; | 196 | } ServerOptions; |
195 | 197 | ||
196 | /* Information about the incoming connection as used by Match */ | 198 | /* Information about the incoming connection as used by Match */ |
@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | |||
378 | char remote_version[256]; /* Must be at least as big as buf. */ | 378 | char remote_version[256]; /* Must be at least as big as buf. */ |
379 | 379 | ||
380 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 380 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
381 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 381 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
382 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
382 | *options.version_addendum == '\0' ? "" : " ", | 383 | *options.version_addendum == '\0' ? "" : " ", |
383 | options.version_addendum, newline); | 384 | options.version_addendum, newline); |
384 | 385 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 283ba8896..4ea0a9c34 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -526,6 +526,11 @@ or | |||
526 | .Cm no . | 526 | .Cm no . |
527 | The default is | 527 | The default is |
528 | .Cm yes . | 528 | .Cm yes . |
529 | .It Cm DebianBanner | ||
530 | Specifies whether the distribution-specified extra version suffix is | ||
531 | included during initial protocol handshake. | ||
532 | The default is | ||
533 | .Cm yes . | ||
529 | .It Cm DenyGroups | 534 | .It Cm DenyGroups |
530 | This keyword can be followed by a list of group name patterns, separated | 535 | This keyword can be followed by a list of group name patterns, separated |
531 | by spaces. | 536 | by spaces. |