summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--servconf.c26
-rw-r--r--servconf.h4
-rw-r--r--sshd.c10
-rw-r--r--sshd_config3
-rw-r--r--sshd_config.59
6 files changed, 45 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 9c9b3fd0c..a8312a5ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
33 [ssh-keyscan.1 ssh-keyscan.c] 33 [ssh-keyscan.1 ssh-keyscan.c]
34 now that sshd defaults to offering ECDSA keys, ssh-keyscan should also 34 now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
35 look for them by default; bz#1971 35 look for them by default; bz#1971
36 - djm@cvs.openbsd.org 2012/04/12 02:42:32
37 [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
38 VersionAddendum option to allow server operators to append some arbitrary
39 text to the SSH-... banner; ok deraadt@ "don't care" markus@
36 40
3720120420 4120120420
38 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 42 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/servconf.c b/servconf.c
index 6de77164e..a8a40f97e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */ 1/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options)
138 options->authorized_principals_file = NULL; 138 options->authorized_principals_file = NULL;
139 options->ip_qos_interactive = -1; 139 options->ip_qos_interactive = -1;
140 options->ip_qos_bulk = -1; 140 options->ip_qos_bulk = -1;
141 options->version_addendum = NULL;
141} 142}
142 143
143void 144void
@@ -277,7 +278,8 @@ fill_default_server_options(ServerOptions *options)
277 options->ip_qos_interactive = IPTOS_LOWDELAY; 278 options->ip_qos_interactive = IPTOS_LOWDELAY;
278 if (options->ip_qos_bulk == -1) 279 if (options->ip_qos_bulk == -1)
279 options->ip_qos_bulk = IPTOS_THROUGHPUT; 280 options->ip_qos_bulk = IPTOS_THROUGHPUT;
280 281 if (options->version_addendum == NULL)
282 options->version_addendum = xstrdup("");
281 /* Turn privilege separation on by default */ 283 /* Turn privilege separation on by default */
282 if (use_privsep == -1) 284 if (use_privsep == -1)
283 use_privsep = PRIVSEP_ON; 285 use_privsep = PRIVSEP_ON;
@@ -323,7 +325,7 @@ typedef enum {
323 sUsePrivilegeSeparation, sAllowAgentForwarding, 325 sUsePrivilegeSeparation, sAllowAgentForwarding,
324 sZeroKnowledgePasswordAuthentication, sHostCertificate, 326 sZeroKnowledgePasswordAuthentication, sHostCertificate,
325 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 327 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
326 sKexAlgorithms, sIPQoS, 328 sKexAlgorithms, sIPQoS, sVersionAddendum,
327 sDeprecated, sUnsupported 329 sDeprecated, sUnsupported
328} ServerOpCodes; 330} ServerOpCodes;
329 331
@@ -448,6 +450,7 @@ static struct {
448 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 450 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
449 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 451 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
450 { "ipqos", sIPQoS, SSHCFG_ALL }, 452 { "ipqos", sIPQoS, SSHCFG_ALL },
453 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
451 { NULL, sBadOption, 0 } 454 { NULL, sBadOption, 0 }
452}; 455};
453 456
@@ -1403,6 +1406,22 @@ process_server_config_line(ServerOptions *options, char *line,
1403 } 1406 }
1404 break; 1407 break;
1405 1408
1409 case sVersionAddendum:
1410 if (cp == NULL)
1411 fatal("%.200s line %d: Missing argument.", filename,
1412 linenum);
1413 len = strspn(cp, WHITESPACE);
1414 if (*activep && options->version_addendum == NULL) {
1415 if (strcasecmp(cp + len, "none") == 0)
1416 options->version_addendum = xstrdup("");
1417 else if (strchr(cp + len, '\r') != NULL)
1418 fatal("%.200s line %d: Invalid argument",
1419 filename, linenum);
1420 else
1421 options->version_addendum = xstrdup(cp + len);
1422 }
1423 return 0;
1424
1406 case sDeprecated: 1425 case sDeprecated:
1407 logit("%s line %d: Deprecated option %s", 1426 logit("%s line %d: Deprecated option %s",
1408 filename, linenum, arg); 1427 filename, linenum, arg);
@@ -1766,6 +1785,7 @@ dump_config(ServerOptions *o)
1766 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 1785 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1767 dump_cfg_string(sAuthorizedPrincipalsFile, 1786 dump_cfg_string(sAuthorizedPrincipalsFile,
1768 o->authorized_principals_file); 1787 o->authorized_principals_file);
1788 dump_cfg_string(sVersionAddendum, o->version_addendum);
1769 1789
1770 /* string arguments requiring a lookup */ 1790 /* string arguments requiring a lookup */
1771 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 1791 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff --git a/servconf.h b/servconf.h
index 89f38e20f..66ba387dd 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -166,6 +166,8 @@ typedef struct {
166 char *revoked_keys_file; 166 char *revoked_keys_file;
167 char *trusted_user_ca_keys; 167 char *trusted_user_ca_keys;
168 char *authorized_principals_file; 168 char *authorized_principals_file;
169
170 char *version_addendum; /* Appended to SSH banner */
169} ServerOptions; 171} ServerOptions;
170 172
171/* 173/*
diff --git a/sshd.c b/sshd.c
index fddbc9d37..b7066df5c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -419,9 +419,11 @@ sshd_exchange_identification(int sock_in, int sock_out)
419 major = PROTOCOL_MAJOR_1; 419 major = PROTOCOL_MAJOR_1;
420 minor = PROTOCOL_MINOR_1; 420 minor = PROTOCOL_MINOR_1;
421 } 421 }
422 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, 422
423 SSH_VERSION, newline); 423 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
424 server_version_string = xstrdup(buf); 424 major, minor, SSH_VERSION,
425 *options.version_addendum == '\0' ? "" : " ",
426 options.version_addendum, newline);
425 427
426 /* Send our protocol version identification. */ 428 /* Send our protocol version identification. */
427 if (roaming_atomicio(vwrite, sock_out, server_version_string, 429 if (roaming_atomicio(vwrite, sock_out, server_version_string,
diff --git a/sshd_config b/sshd_config
index 473e86654..99dbd8580 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 1# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $
2 2
3# This is the sshd server system-wide configuration file. See 3# This is the sshd server system-wide configuration file. See
4# sshd_config(5) for more information. 4# sshd_config(5) for more information.
@@ -107,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
107#MaxStartups 10 107#MaxStartups 10
108#PermitTunnel no 108#PermitTunnel no
109#ChrootDirectory none 109#ChrootDirectory none
110#VersionAddendum none
110 111
111# no default banner path 112# no default banner path
112#Banner none 113#Banner none
diff --git a/sshd_config.5 b/sshd_config.5
index 4ef8b9e6d..1522355a8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $
37.Dd $Mdocdate: September 9 2011 $ 37.Dd $Mdocdate: April 12 2012 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -1079,6 +1079,11 @@ is set to
1079.Dq sandbox 1079.Dq sandbox
1080then the pre-authentication unprivileged process is subject to additional 1080then the pre-authentication unprivileged process is subject to additional
1081restrictions. 1081restrictions.
1082.It Cm VersionAddendum
1083Optionally specifies additional text to append to the SSH protocol banner
1084sent by the server upon connection.
1085The default is
1086.Dq none .
1082.It Cm X11DisplayOffset 1087.It Cm X11DisplayOffset
1083Specifies the first display number available for 1088Specifies the first display number available for
1084.Xr sshd 8 Ns 's 1089.Xr sshd 8 Ns 's