6 files changed, 45 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 9c9b3fd0c..a8312a5ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
     [ssh-keyscan.1 ssh-keyscan.c]
     now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
     look for them by default; bz#1971
+   - djm@cvs.openbsd.org 2012/04/12 02:42:32
+     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+     VersionAddendum option to allow server operators to append some arbitrary
+     text to the SSH-... banner; ok deraadt@ "don't care" markus@
 20120420
 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/servconf.c b/servconf.c
index 6de77164e..a8a40f97e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options)
        options->authorized_principals_file = NULL;
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
+        options->version_addendum = NULL;
 }
 void
@@ -277,7 +278,8 @@ fill_default_server_options(ServerOptions *options)
                options->ip_qos_interactive = IPTOS_LOWDELAY;
        if (options->ip_qos_bulk == -1)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->version_addendum == NULL)
+                options->version_addendum = xstrdup("");
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
                use_privsep = PRIVSEP_ON;
@@ -323,7 +325,7 @@ typedef enum {
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
-        sKexAlgorithms, sIPQoS,
+        sKexAlgorithms, sIPQoS, sVersionAddendum,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -448,6 +450,7 @@ static struct {
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
        { "ipqos", sIPQoS, SSHCFG_ALL },
+        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -1403,6 +1406,22 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                break;
+        case sVersionAddendum:
+                if (cp == NULL)
+                        fatal("%.200s line %d: Missing argument.", filename,
+                            linenum);
+                len = strspn(cp, WHITESPACE);
+                if (*activep && options->version_addendum == NULL) {
+                        if (strcasecmp(cp + len, "none") == 0)
+                                options->version_addendum = xstrdup("");
+                        else if (strchr(cp + len, '\r') != NULL)
+                                fatal("%.200s line %d: Invalid argument",
+                                    filename, linenum);
+                        else
+                                options->version_addendum = xstrdup(cp + len);
+                }
+                return 0;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
@@ -1766,6 +1785,7 @@ dump_config(ServerOptions *o)
        dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
        dump_cfg_string(sAuthorizedPrincipalsFile,
            o->authorized_principals_file);
+        dump_cfg_string(sVersionAddendum, o->version_addendum);
        /* string arguments requiring a lookup */
        dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff --git a/servconf.h b/servconf.h
index 89f38e20f..66ba387dd 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -166,6 +166,8 @@ typedef struct {
        char   *revoked_keys_file;
        char   *trusted_user_ca_keys;
        char   *authorized_principals_file;
+        char   *version_addendum;       /* Appended to SSH banner */
 }       ServerOptions;
 /*
diff --git a/sshd.c b/sshd.c
index fddbc9d37..b7066df5c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -419,9 +419,11 @@ sshd_exchange_identification(int sock_in, int sock_out)
                major = PROTOCOL_MAJOR_1;
                minor = PROTOCOL_MINOR_1;
        }
-        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
-            SSH_VERSION, newline);
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-        server_version_string = xstrdup(buf);
+            major, minor, SSH_VERSION,
+            *options.version_addendum == '\0' ? "" : " ",
+            options.version_addendum, newline);
        /* Send our protocol version identification. */
        if (roaming_atomicio(vwrite, sock_out, server_version_string,
diff --git a/sshd_config b/sshd_config
index 473e86654..99dbd8580 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
+#       $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -107,6 +107,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #MaxStartups 10
 #PermitTunnel no
 #ChrootDirectory none
+#VersionAddendum none
 # no default banner path
 #Banner none
diff --git a/sshd_config.5 b/sshd_config.5
index 4ef8b9e6d..1522355a8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $
-.Dd $Mdocdate: September 9 2011 $
+.Dd $Mdocdate: April 12 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1079,6 +1079,11 @@ is set to
 .Dq sandbox
 then the pre-authentication unprivileged process is subject to additional
 restrictions.
+.It Cm VersionAddendum
+Optionally specifies additional text to append to the SSH protocol banner
+sent by the server upon connection.
+The default is
+.Dq none .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Xr sshd 8 Ns 's

diff --git a/ChangeLog b/ChangeLog index 9c9b3fd0c..a8312a5ef 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -33,6 +33,10 @@
33	[ssh-keyscan.1 ssh-keyscan.c]	33	[ssh-keyscan.1 ssh-keyscan.c]
34	now that sshd defaults to offering ECDSA keys, ssh-keyscan should also	34	now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
35	look for them by default; bz#1971	35	look for them by default; bz#1971
		36	- djm@cvs.openbsd.org 2012/04/12 02:42:32
		37	[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
		38	VersionAddendum option to allow server operators to append some arbitrary
		39	text to the SSH-... banner; ok deraadt@ "don't care" markus@
36		40
37	20120420	41	20120420
38	- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]	42	- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]


diff --git a/servconf.c b/servconf.c index 6de77164e..a8a40f97e 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */	1	/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options)
138	options->authorized_principals_file = NULL;	138	options->authorized_principals_file = NULL;
139	options->ip_qos_interactive = -1;	139	options->ip_qos_interactive = -1;
140	options->ip_qos_bulk = -1;	140	options->ip_qos_bulk = -1;
		141	options->version_addendum = NULL;
141	}	142	}
142		143
143	void	144	void
@@ -277,7 +278,8 @@ fill_default_server_options(ServerOptions *options)
277	options->ip_qos_interactive = IPTOS_LOWDELAY;	278	options->ip_qos_interactive = IPTOS_LOWDELAY;
278	if (options->ip_qos_bulk == -1)	279	if (options->ip_qos_bulk == -1)
279	options->ip_qos_bulk = IPTOS_THROUGHPUT;	280	options->ip_qos_bulk = IPTOS_THROUGHPUT;
280		281	if (options->version_addendum == NULL)
		282	options->version_addendum = xstrdup("");
281	/* Turn privilege separation on by default */	283	/* Turn privilege separation on by default */
282	if (use_privsep == -1)	284	if (use_privsep == -1)
283	use_privsep = PRIVSEP_ON;	285	use_privsep = PRIVSEP_ON;
@@ -323,7 +325,7 @@ typedef enum {
323	sUsePrivilegeSeparation, sAllowAgentForwarding,	325	sUsePrivilegeSeparation, sAllowAgentForwarding,
324	sZeroKnowledgePasswordAuthentication, sHostCertificate,	326	sZeroKnowledgePasswordAuthentication, sHostCertificate,
325	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	327	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
326	sKexAlgorithms, sIPQoS,	328	sKexAlgorithms, sIPQoS, sVersionAddendum,
327	sDeprecated, sUnsupported	329	sDeprecated, sUnsupported
328	} ServerOpCodes;	330	} ServerOpCodes;
329		331
@@ -448,6 +450,7 @@ static struct {
448	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	450	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
449	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	451	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
450	{ "ipqos", sIPQoS, SSHCFG_ALL },	452	{ "ipqos", sIPQoS, SSHCFG_ALL },
		453	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
451	{ NULL, sBadOption, 0 }	454	{ NULL, sBadOption, 0 }
452	};	455	};
453		456
@@ -1403,6 +1406,22 @@ process_server_config_line(ServerOptions options, char line,
1403	}	1406	}
1404	break;	1407	break;
1405		1408
		1409	case sVersionAddendum:
		1410	if (cp == NULL)
		1411	fatal("%.200s line %d: Missing argument.", filename,
		1412	linenum);
		1413	len = strspn(cp, WHITESPACE);
		1414	if (*activep && options->version_addendum == NULL) {
		1415	if (strcasecmp(cp + len, "none") == 0)
		1416	options->version_addendum = xstrdup("");
		1417	else if (strchr(cp + len, '\r') != NULL)
		1418	fatal("%.200s line %d: Invalid argument",
		1419	filename, linenum);
		1420	else
		1421	options->version_addendum = xstrdup(cp + len);
		1422	}
		1423	return 0;
		1424
1406	case sDeprecated:	1425	case sDeprecated:
1407	logit("%s line %d: Deprecated option %s",	1426	logit("%s line %d: Deprecated option %s",
1408	filename, linenum, arg);	1427	filename, linenum, arg);
@@ -1766,6 +1785,7 @@ dump_config(ServerOptions *o)
1766	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);	1785	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1767	dump_cfg_string(sAuthorizedPrincipalsFile,	1786	dump_cfg_string(sAuthorizedPrincipalsFile,
1768	o->authorized_principals_file);	1787	o->authorized_principals_file);
		1788	dump_cfg_string(sVersionAddendum, o->version_addendum);
1769		1789
1770	/* string arguments requiring a lookup */	1790	/* string arguments requiring a lookup */
1771	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1791	dump_cfg_string(sLogLevel, log_level_name(o->log_level));


diff --git a/servconf.h b/servconf.h index 89f38e20f..66ba387dd 100644 --- a/servconf.h +++ b/servconf.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */	1	/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -166,6 +166,8 @@ typedef struct {
166	char *revoked_keys_file;	166	char *revoked_keys_file;
167	char *trusted_user_ca_keys;	167	char *trusted_user_ca_keys;
168	char *authorized_principals_file;	168	char *authorized_principals_file;
		169
		170	char version_addendum; / Appended to SSH banner */
169	} ServerOptions;	171	} ServerOptions;
170		172
171	/*	173	/*


diff --git a/sshd.c b/sshd.c index fddbc9d37..b7066df5c 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */	1	/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -419,9 +419,11 @@ sshd_exchange_identification(int sock_in, int sock_out)
419	major = PROTOCOL_MAJOR_1;	419	major = PROTOCOL_MAJOR_1;
420	minor = PROTOCOL_MINOR_1;	420	minor = PROTOCOL_MINOR_1;
421	}	421	}
422	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,	422
423	SSH_VERSION, newline);	423	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
424	server_version_string = xstrdup(buf);	424	major, minor, SSH_VERSION,
		425	*options.version_addendum == '\0' ? "" : " ",
		426	options.version_addendum, newline);
425		427
426	/* Send our protocol version identification. */	428	/* Send our protocol version identification. */
427	if (roaming_atomicio(vwrite, sock_out, server_version_string,	429	if (roaming_atomicio(vwrite, sock_out, server_version_string,


diff --git a/sshd_config b/sshd_config index 473e86654..99dbd8580 100644 --- a/sshd_config +++ b/sshd_config
@@ -1,4 +1,4 @@
1	# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $	1	# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $
2		2
3	# This is the sshd server system-wide configuration file. See	3	# This is the sshd server system-wide configuration file. See
4	# sshd_config(5) for more information.	4	# sshd_config(5) for more information.
@@ -107,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
107	#MaxStartups 10	107	#MaxStartups 10
108	#PermitTunnel no	108	#PermitTunnel no
109	#ChrootDirectory none	109	#ChrootDirectory none
		110	#VersionAddendum none
110		111
111	# no default banner path	112	# no default banner path
112	#Banner none	113	#Banner none


diff --git a/sshd_config.5 b/sshd_config.5 index 4ef8b9e6d..1522355a8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $
37	.Dd $Mdocdate: September 9 2011 $	37	.Dd $Mdocdate: April 12 2012 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1079,6 +1079,11 @@ is set to
1079	.Dq sandbox	1079	.Dq sandbox
1080	then the pre-authentication unprivileged process is subject to additional	1080	then the pre-authentication unprivileged process is subject to additional
1081	restrictions.	1081	restrictions.
		1082	.It Cm VersionAddendum
		1083	Optionally specifies additional text to append to the SSH protocol banner
		1084	sent by the server upon connection.
		1085	The default is
		1086	.Dq none .
1082	.It Cm X11DisplayOffset	1087	.It Cm X11DisplayOffset
1083	Specifies the first display number available for	1088	Specifies the first display number available for
1084	.Xr sshd 8 Ns 's	1089	.Xr sshd 8 Ns 's