1 files changed, 99 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 000000000..d96f2cc59
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,99 @@
+Description: Add DebianBanner server configuration option
+ Setting this to "no" causes sshd to omit the Debian revision from its
+ initial protocol handshake, for those scared by package-versioning.patch.
+Author: Kees Cook <kees@debian.org>
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2013-05-07
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -150,6 +150,7 @@
+        options->ip_qos_interactive = -1;
+        options->ip_qos_bulk = -1;
+        options->version_addendum = NULL;
+       options->debian_banner = -1;
+ }
+ 
+ void
+@@ -299,6 +300,8 @@
+                options->ip_qos_bulk = IPTOS_THROUGHPUT;
+        if (options->version_addendum == NULL)
+                options->version_addendum = xstrdup("");
+       if (options->debian_banner == -1)
+               options->debian_banner = 1;
+        /* Turn privilege separation on by default */
+        if (use_privsep == -1)
+                use_privsep = PRIVSEP_NOSANDBOX;
+@@ -349,6 +352,7 @@
+        sKexAlgorithms, sIPQoS, sVersionAddendum,
+        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+        sAuthenticationMethods,
+       sDebianBanner,
+        sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -488,6 +492,7 @@
+        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
+ };
+ 
+@@ -1593,6 +1598,10 @@
+                }
+                return 0;
+ 
+       case sDebianBanner:
+               intptr = &options->debian_banner;
+               goto parse_int;
+
+        case sDeprecated:
+                logit("%s line %d: Deprecated option %s",
+                    filename, linenum, arg);
+Index: b/servconf.h
+===================================================================
+--- a/servconf.h
+++ b/servconf.h
+@@ -184,6 +184,8 @@
+ 
+        u_int   num_auth_methods;
+        char   *auth_methods[MAX_AUTH_METHODS];
+
+       int     debian_banner;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -434,7 +434,8 @@
+        }
+ 
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-           major, minor, SSH_RELEASE,
+           major, minor,
+           options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+            *options.version_addendum == '\0' ? "" : " ",
+            options.version_addendum, newline);
+ 
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -397,6 +397,11 @@
+ .Dq no .
+ The default is
+ .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..d96f2cc59 --- /dev/null +++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,99 @@
	1	Description: Add DebianBanner server configuration option
	2	Setting this to "no" causes sshd to omit the Debian revision from its
	3	initial protocol handshake, for those scared by package-versioning.patch.
	4	Author: Kees Cook <kees@debian.org>
	5	Bug-Debian: http://bugs.debian.org/562048
	6	Forwarded: not-needed
	7	Last-Update: 2013-05-07
	8
	9	Index: b/servconf.c
	10	===================================================================
	11	--- a/servconf.c
	12	+++ b/servconf.c
	13	@@ -150,6 +150,7 @@
	14	options->ip_qos_interactive = -1;
	15	options->ip_qos_bulk = -1;
	16	options->version_addendum = NULL;
	17	+ options->debian_banner = -1;
	18	}
	19
	20	void
	21	@@ -299,6 +300,8 @@
	22	options->ip_qos_bulk = IPTOS_THROUGHPUT;
	23	if (options->version_addendum == NULL)
	24	options->version_addendum = xstrdup("");
	25	+ if (options->debian_banner == -1)
	26	+ options->debian_banner = 1;
	27	/* Turn privilege separation on by default */
	28	if (use_privsep == -1)
	29	use_privsep = PRIVSEP_NOSANDBOX;
	30	@@ -349,6 +352,7 @@
	31	sKexAlgorithms, sIPQoS, sVersionAddendum,
	32	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
	33	sAuthenticationMethods,
	34	+ sDebianBanner,
	35	sDeprecated, sUnsupported
	36	} ServerOpCodes;
	37
	38	@@ -488,6 +492,7 @@
	39	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
	40	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
	41	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
	42	+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
	43	{ NULL, sBadOption, 0 }
	44	};
	45
	46	@@ -1593,6 +1598,10 @@
	47	}
	48	return 0;
	49
	50	+ case sDebianBanner:
	51	+ intptr = &options->debian_banner;
	52	+ goto parse_int;
	53	+
	54	case sDeprecated:
	55	logit("%s line %d: Deprecated option %s",
	56	filename, linenum, arg);
	57	Index: b/servconf.h
	58	===================================================================
	59	--- a/servconf.h
	60	+++ b/servconf.h
	61	@@ -184,6 +184,8 @@
	62
	63	u_int num_auth_methods;
	64	char *auth_methods[MAX_AUTH_METHODS];
	65	+
	66	+ int debian_banner;
	67	} ServerOptions;
	68
	69	/* Information about the incoming connection as used by Match */
	70	Index: b/sshd.c
	71	===================================================================
	72	--- a/sshd.c
	73	+++ b/sshd.c
	74	@@ -434,7 +434,8 @@
	75	}
	76
	77	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
	78	- major, minor, SSH_RELEASE,
	79	+ major, minor,
	80	+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
	81	*options.version_addendum == '\0' ? "" : " ",
	82	options.version_addendum, newline);
	83
	84	Index: b/sshd_config.5
	85	===================================================================
	86	--- a/sshd_config.5
	87	+++ b/sshd_config.5
	88	@@ -397,6 +397,11 @@
	89	.Dq no .
	90	The default is
	91	.Dq delayed .
	92	+.It Cm DebianBanner
	93	+Specifies whether the distribution-specified extra version suffix is
	94	+included during initial protocol handshake.
	95	+The default is
	96	+.Dq yes .
	97	.It Cm DenyGroups
	98	This keyword can be followed by a list of group name patterns, separated
	99	by spaces.