Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
author: Kees Cook <kees@debian.org> 2014-02-09 16:10:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-03-20 00:32:29 +0000
commit: 9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec (patch)
tree: 1ab60157509d36807459667d366a04376038b46d
parent: 6de70b95f5005447ae23532d4f3ee41a9338479f (diff)
4 files changed, 18 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 90de88879..37fd2de6d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options)
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
        options->version_addendum = NULL;
+        options->debian_banner = -1;
 }
 void
@@ -309,6 +310,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
        if (options->version_addendum == NULL)
                options->version_addendum = xstrdup("");
+        if (options->debian_banner == -1)
+                options->debian_banner = 1;
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_NOSANDBOX;
@@ -359,6 +362,7 @@ typedef enum {
        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
        sAuthenticationMethods, sHostKeyAgent,
+        sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -496,6 +500,7 @@ static struct {
        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -1654,6 +1659,10 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sDebianBanner:
+                intptr = &options->debian_banner;
+                goto parse_int;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
diff --git a/servconf.h b/servconf.h
index c922eb50c..dcd1c2ab8 100644
--- a/servconf.h
+++ b/servconf.h
@@ -186,6 +186,8 @@ typedef struct {
        u_int   num_auth_methods;
        char   *auth_methods[MAX_AUTH_METHODS];
+        int     debian_banner;
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index af9b8f180..665c0b91d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-            major, minor, SSH_RELEASE,
+            major, minor,
+            options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
            *options.version_addendum == '\0' ? "" : " ",
            options.version_addendum, newline);
diff --git a/sshd_config.5 b/sshd_config.5
index 2164d5841..8f078f618 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -413,6 +413,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm DenyGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
author	Kees Cook <kees@debian.org>	2014-02-09 16:10:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-03-20 00:32:29 +0000
commit	9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec (patch)
tree	1ab60157509d36807459667d366a04376038b46d
parent	6de70b95f5005447ae23532d4f3ee41a9338479f (diff)