diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-01-16 00:07:00 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-01-16 00:07:00 +0000 |
| commit | 730e12063b532f59292af38f584d84127a77ebdd (patch) | |
| tree | 0fe553bd04207ffde728f350a1f21dfb5966bf14 | |
| parent | 5df50c6ed93365589bbcfb6a1925828b1273c7a9 (diff) | |
Implement DebianBanner server configuration flag that can be set to "no"
to allow sshd to run without the Debian-specific extra version in the
initial protocol handshake (closes: #562048).
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | servconf.c | 9 | ||||
| -rw-r--r-- | servconf.h | 2 | ||||
| -rw-r--r-- | sshd.c | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 5 | ||||
| -rw-r--r-- | version.h | 5 |
6 files changed, 27 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 4207281e8..2793110f0 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,5 +1,6 @@ | |||
| 1 | openssh (1:5.2p1-2) UNRELEASED; urgency=low | 1 | openssh (1:5.2p1-2) UNRELEASED; urgency=low |
| 2 | 2 | ||
| 3 | [ Colin Watson ] | ||
| 3 | * Backport from upstream: | 4 | * Backport from upstream: |
| 4 | - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd | 5 | - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd |
| 5 | re-execs itself. Prevents two HUPs in quick succession from resulting | 6 | re-execs itself. Prevents two HUPs in quick succession from resulting |
| @@ -11,6 +12,11 @@ openssh (1:5.2p1-2) UNRELEASED; urgency=low | |||
| 11 | release of Debian dropped support for Linux 2.4, let alone 2.0, so this | 12 | release of Debian dropped support for Linux 2.4, let alone 2.0, so this |
| 12 | very likely has no remaining users depending on it. | 13 | very likely has no remaining users depending on it. |
| 13 | 14 | ||
| 15 | [ Kees Cook ] | ||
| 16 | * Implement DebianBanner server configuration flag that can be set to "no" | ||
| 17 | to allow sshd to run without the Debian-specific extra version in the | ||
| 18 | initial protocol handshake (closes: #562048). | ||
| 19 | |||
| 14 | -- Colin Watson <cjwatson@debian.org> Sun, 10 Jan 2010 22:06:28 +0000 | 20 | -- Colin Watson <cjwatson@debian.org> Sun, 10 Jan 2010 22:06:28 +0000 |
| 15 | 21 | ||
| 16 | openssh (1:5.2p1-1) unstable; urgency=low | 22 | openssh (1:5.2p1-1) unstable; urgency=low |
diff --git a/servconf.c b/servconf.c index c1f2bc2af..dd5161ecd 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -132,6 +132,7 @@ initialize_server_options(ServerOptions *options) | |||
| 132 | options->adm_forced_command = NULL; | 132 | options->adm_forced_command = NULL; |
| 133 | options->chroot_directory = NULL; | 133 | options->chroot_directory = NULL; |
| 134 | options->zero_knowledge_password_authentication = -1; | 134 | options->zero_knowledge_password_authentication = -1; |
| 135 | options->debian_banner = -1; | ||
| 135 | } | 136 | } |
| 136 | 137 | ||
| 137 | void | 138 | void |
| @@ -273,6 +274,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 273 | options->permit_tun = SSH_TUNMODE_NO; | 274 | options->permit_tun = SSH_TUNMODE_NO; |
| 274 | if (options->zero_knowledge_password_authentication == -1) | 275 | if (options->zero_knowledge_password_authentication == -1) |
| 275 | options->zero_knowledge_password_authentication = 0; | 276 | options->zero_knowledge_password_authentication = 0; |
| 277 | if (options->debian_banner == -1) | ||
| 278 | options->debian_banner = 1; | ||
| 276 | 279 | ||
| 277 | /* Turn privilege separation on by default */ | 280 | /* Turn privilege separation on by default */ |
| 278 | if (use_privsep == -1) | 281 | if (use_privsep == -1) |
| @@ -320,6 +323,7 @@ typedef enum { | |||
| 320 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 323 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 321 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 324 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 322 | sZeroKnowledgePasswordAuthentication, | 325 | sZeroKnowledgePasswordAuthentication, |
| 326 | sDebianBanner, | ||
| 323 | sDeprecated, sUnsupported | 327 | sDeprecated, sUnsupported |
| 324 | } ServerOpCodes; | 328 | } ServerOpCodes; |
| 325 | 329 | ||
| @@ -449,6 +453,7 @@ static struct { | |||
| 449 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 453 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
| 450 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 454 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
| 451 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, | 455 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
| 456 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
| 452 | { NULL, sBadOption, 0 } | 457 | { NULL, sBadOption, 0 } |
| 453 | }; | 458 | }; |
| 454 | 459 | ||
| @@ -1335,6 +1340,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1335 | *charptr = xstrdup(arg); | 1340 | *charptr = xstrdup(arg); |
| 1336 | break; | 1341 | break; |
| 1337 | 1342 | ||
| 1343 | case sDebianBanner: | ||
| 1344 | intptr = &options->debian_banner; | ||
| 1345 | goto parse_int; | ||
| 1346 | |||
| 1338 | case sDeprecated: | 1347 | case sDeprecated: |
| 1339 | logit("%s line %d: Deprecated option %s", | 1348 | logit("%s line %d: Deprecated option %s", |
| 1340 | filename, linenum, arg); | 1349 | filename, linenum, arg); |
diff --git a/servconf.h b/servconf.h index 3852b1bae..0cd78bc22 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -154,6 +154,8 @@ typedef struct { | |||
| 154 | 154 | ||
| 155 | int num_permitted_opens; | 155 | int num_permitted_opens; |
| 156 | 156 | ||
| 157 | int debian_banner; | ||
| 158 | |||
| 157 | char *chroot_directory; | 159 | char *chroot_directory; |
| 158 | } ServerOptions; | 160 | } ServerOptions; |
| 159 | 161 | ||
| @@ -425,7 +425,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 425 | minor = PROTOCOL_MINOR_1; | 425 | minor = PROTOCOL_MINOR_1; |
| 426 | } | 426 | } |
| 427 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | 427 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, |
| 428 | SSH_RELEASE, newline); | 428 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, |
| 429 | newline); | ||
| 429 | server_version_string = xstrdup(buf); | 430 | server_version_string = xstrdup(buf); |
| 430 | 431 | ||
| 431 | /* Send our protocol version identification. */ | 432 | /* Send our protocol version identification. */ |
diff --git a/sshd_config.5 b/sshd_config.5 index d30ad2ed1..0d2e0c3da 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -314,6 +314,11 @@ or | |||
| 314 | .Dq no . | 314 | .Dq no . |
| 315 | The default is | 315 | The default is |
| 316 | .Dq delayed . | 316 | .Dq delayed . |
| 317 | .It Cm DebianBanner | ||
| 318 | Specifies whether the distribution-specified extra version suffix is | ||
| 319 | included during initial protocol handshake. | ||
| 320 | The default is | ||
| 321 | .Dq yes . | ||
| 317 | .It Cm DenyGroups | 322 | .It Cm DenyGroups |
| 318 | This keyword can be followed by a list of group name patterns, separated | 323 | This keyword can be followed by a list of group name patterns, separated |
| 319 | by spaces. | 324 | by spaces. |
| @@ -3,8 +3,9 @@ | |||
| 3 | #define SSH_VERSION "OpenSSH_5.2" | 3 | #define SSH_VERSION "OpenSSH_5.2" |
| 4 | 4 | ||
| 5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
| 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||
| 6 | #ifdef SSH_EXTRAVERSION | 7 | #ifdef SSH_EXTRAVERSION |
| 7 | #define SSH_RELEASE SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION | 8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION |
| 8 | #else | 9 | #else |
| 9 | #define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 10 | #define SSH_RELEASE SSH_RELEASE_MINIMUM |
| 10 | #endif | 11 | #endif |