diff options
| author | Kees Cook <kees@debian.org> | 2014-02-09 16:10:06 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-08-24 17:49:07 +0100 |
| commit | 905ffae23105d59b013aac809da6195d231b0395 (patch) | |
| tree | 2842020fb02755a11cfd4f88aaacd233ca66dfa4 | |
| parent | 97c5d99b8d1957d5a29ca34157a9bfe2ed5c7003 (diff) | |
Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2018-08-24
Patch-Name: debian-banner.patch
| -rw-r--r-- | servconf.c | 9 | ||||
| -rw-r--r-- | servconf.h | 2 | ||||
| -rw-r--r-- | sshd.c | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 5 |
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index e49984a81..bb43a649c 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -181,6 +181,7 @@ initialize_server_options(ServerOptions *options) | |||
| 181 | options->fingerprint_hash = -1; | 181 | options->fingerprint_hash = -1; |
| 182 | options->disable_forwarding = -1; | 182 | options->disable_forwarding = -1; |
| 183 | options->expose_userauth_info = -1; | 183 | options->expose_userauth_info = -1; |
| 184 | options->debian_banner = -1; | ||
| 184 | } | 185 | } |
| 185 | 186 | ||
| 186 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 187 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
| @@ -413,6 +414,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 413 | options->disable_forwarding = 0; | 414 | options->disable_forwarding = 0; |
| 414 | if (options->expose_userauth_info == -1) | 415 | if (options->expose_userauth_info == -1) |
| 415 | options->expose_userauth_info = 0; | 416 | options->expose_userauth_info = 0; |
| 417 | if (options->debian_banner == -1) | ||
| 418 | options->debian_banner = 1; | ||
| 416 | 419 | ||
| 417 | assemble_algorithms(options); | 420 | assemble_algorithms(options); |
| 418 | 421 | ||
| @@ -500,6 +503,7 @@ typedef enum { | |||
| 500 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 503 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
| 501 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 504 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
| 502 | sExposeAuthInfo, sRDomain, | 505 | sExposeAuthInfo, sRDomain, |
| 506 | sDebianBanner, | ||
| 503 | sDeprecated, sIgnore, sUnsupported | 507 | sDeprecated, sIgnore, sUnsupported |
| 504 | } ServerOpCodes; | 508 | } ServerOpCodes; |
| 505 | 509 | ||
| @@ -656,6 +660,7 @@ static struct { | |||
| 656 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | 660 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
| 657 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 661 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
| 658 | { "rdomain", sRDomain, SSHCFG_ALL }, | 662 | { "rdomain", sRDomain, SSHCFG_ALL }, |
| 663 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
| 659 | { NULL, sBadOption, 0 } | 664 | { NULL, sBadOption, 0 } |
| 660 | }; | 665 | }; |
| 661 | 666 | ||
| @@ -2164,6 +2169,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 2164 | *charptr = xstrdup(arg); | 2169 | *charptr = xstrdup(arg); |
| 2165 | break; | 2170 | break; |
| 2166 | 2171 | ||
| 2172 | case sDebianBanner: | ||
| 2173 | intptr = &options->debian_banner; | ||
| 2174 | goto parse_flag; | ||
| 2175 | |||
| 2167 | case sDeprecated: | 2176 | case sDeprecated: |
| 2168 | case sIgnore: | 2177 | case sIgnore: |
| 2169 | case sUnsupported: | 2178 | case sUnsupported: |
diff --git a/servconf.h b/servconf.h index 9b117fe27..76098119b 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -211,6 +211,8 @@ typedef struct { | |||
| 211 | int fingerprint_hash; | 211 | int fingerprint_hash; |
| 212 | int expose_userauth_info; | 212 | int expose_userauth_info; |
| 213 | u_int64_t timing_secret; | 213 | u_int64_t timing_secret; |
| 214 | |||
| 215 | int debian_banner; | ||
| 214 | } ServerOptions; | 216 | } ServerOptions; |
| 215 | 217 | ||
| 216 | /* Information about the incoming connection as used by Match */ | 218 | /* Information about the incoming connection as used by Match */ |
| @@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | |||
| 384 | char remote_version[256]; /* Must be at least as big as buf. */ | 384 | char remote_version[256]; /* Must be at least as big as buf. */ |
| 385 | 385 | ||
| 386 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", | 386 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", |
| 387 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 387 | PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, |
| 388 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
| 388 | *options.version_addendum == '\0' ? "" : " ", | 389 | *options.version_addendum == '\0' ? "" : " ", |
| 389 | options.version_addendum); | 390 | options.version_addendum); |
| 390 | 391 | ||
diff --git a/sshd_config.5 b/sshd_config.5 index 0fbbccbde..96a69ab55 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -532,6 +532,11 @@ or | |||
| 532 | .Cm no . | 532 | .Cm no . |
| 533 | The default is | 533 | The default is |
| 534 | .Cm yes . | 534 | .Cm yes . |
| 535 | .It Cm DebianBanner | ||
| 536 | Specifies whether the distribution-specified extra version suffix is | ||
| 537 | included during initial protocol handshake. | ||
| 538 | The default is | ||
| 539 | .Cm yes . | ||
| 535 | .It Cm DenyGroups | 540 | .It Cm DenyGroups |
| 536 | This keyword can be followed by a list of group name patterns, separated | 541 | This keyword can be followed by a list of group name patterns, separated |
| 537 | by spaces. | 542 | by spaces. |