Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-11-29

Patch-Name: debian-banner.patch

4 files changed, 18 insertions, 1 deletions

diff --git a/servconf.c b/servconf.c
index bf9f8f784..a98b30938 100644
--- a/servconf.c
+++ b/servconf.c
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
         options->fingerprint_hash = -1;
+        options->debian_banner = -1;
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options)
                 options->fwd_opts.streamlocal_bind_unlink = 0;
         if (options->fingerprint_hash == -1)
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
 
         assemble_algorithms(options);
 
@@ -445,6 +448,7 @@ typedef enum {
         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
         sStreamLocalBindMask, sStreamLocalBindUnlink,
         sAllowStreamLocalForwarding, sFingerprintHash,
+        sDebianBanner,
         sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -596,6 +600,7 @@ static struct {
         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
         { NULL, sBadOption, 0 }
 };
 
@@ -1903,6 +1908,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         options->fingerprint_hash = value;
                 break;
 
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_int;
+
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index 778ba1742..161fa37c4 100644
--- a/servconf.h
+++ b/servconf.h
@@ -197,6 +197,8 @@ typedef struct {
         char   *auth_methods[MAX_AUTH_METHODS];
 
         int     fingerprint_hash;
+
+        int     debian_banner;
 }       ServerOptions;
 
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index e873557b7..71fad9e54 100644
--- a/sshd.c
+++ b/sshd.c
@@ -443,7 +443,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
         }
 
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-            major, minor, SSH_RELEASE,
+            major, minor,
+            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
             *options.version_addendum == '\0' ? "" : " ",
             options.version_addendum, newline);
 
diff --git a/sshd_config.5 b/sshd_config.5
index e05cdbef5..ac9b1f032 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -541,6 +541,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.