1 files changed, 99 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 000000000..32251397d
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,99 @@
+Description: Add DebianBanner server configuration option
+ Setting this to "no" causes sshd to omit the Debian revision from its
+ initial protocol handshake, for those scared by package-versioning.patch.
+Author: Kees Cook <kees@debian.org>
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2010-02-28
+Index: b/servconf.c
+===================================================================
+--- a/servconf.c
+++ b/servconf.c
+@@ -143,6 +143,7 @@
+        options->authorized_principals_file = NULL;
+        options->ip_qos_interactive = -1;
+        options->ip_qos_bulk = -1;
+       options->debian_banner = -1;
+ }
+ 
+ void
+@@ -293,6 +294,8 @@
+                options->ip_qos_interactive = IPTOS_LOWDELAY;
+        if (options->ip_qos_bulk == -1)
+                options->ip_qos_bulk = IPTOS_THROUGHPUT;
+       if (options->debian_banner == -1)
+               options->debian_banner = 1;
+ 
+        /* Turn privilege separation on by default */
+        if (use_privsep == -1)
+@@ -342,6 +345,7 @@
+        sZeroKnowledgePasswordAuthentication, sHostCertificate,
+        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+        sKexAlgorithms, sIPQoS,
+       sDebianBanner,
+        sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -477,6 +481,7 @@
+        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+        { "ipqos", sIPQoS, SSHCFG_ALL },
+       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
+ };
+ 
+@@ -1439,6 +1444,10 @@
+                }
+                break;
+ 
+       case sDebianBanner:
+               intptr = &options->debian_banner;
+               goto parse_int;
+
+        case sDeprecated:
+                logit("%s line %d: Deprecated option %s",
+                    filename, linenum, arg);
+Index: b/servconf.h
+===================================================================
+--- a/servconf.h
+++ b/servconf.h
+@@ -160,6 +160,8 @@
+ 
+        int     num_permitted_opens;
+ 
+       int     debian_banner;
+
+        char   *chroot_directory;
+        char   *revoked_keys_file;
+        char   *trusted_user_ca_keys;
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -422,7 +422,8 @@
+                minor = PROTOCOL_MINOR_1;
+        }
+        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+-           SSH_RELEASE, newline);
+           options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+           newline);
+        server_version_string = xstrdup(buf);
+ 
+        /* Send our protocol version identification. */
+Index: b/sshd_config.5
+===================================================================
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -339,6 +339,11 @@
+ .Dq no .
+ The default is
+ .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..32251397d --- /dev/null +++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,99 @@
	1	Description: Add DebianBanner server configuration option
	2	Setting this to "no" causes sshd to omit the Debian revision from its
	3	initial protocol handshake, for those scared by package-versioning.patch.
	4	Author: Kees Cook <kees@debian.org>
	5	Bug-Debian: http://bugs.debian.org/562048
	6	Forwarded: not-needed
	7	Last-Update: 2010-02-28
	8
	9	Index: b/servconf.c
	10	===================================================================
	11	--- a/servconf.c
	12	+++ b/servconf.c
	13	@@ -143,6 +143,7 @@
	14	options->authorized_principals_file = NULL;
	15	options->ip_qos_interactive = -1;
	16	options->ip_qos_bulk = -1;
	17	+ options->debian_banner = -1;
	18	}
	19
	20	void
	21	@@ -293,6 +294,8 @@
	22	options->ip_qos_interactive = IPTOS_LOWDELAY;
	23	if (options->ip_qos_bulk == -1)
	24	options->ip_qos_bulk = IPTOS_THROUGHPUT;
	25	+ if (options->debian_banner == -1)
	26	+ options->debian_banner = 1;
	27
	28	/* Turn privilege separation on by default */
	29	if (use_privsep == -1)
	30	@@ -342,6 +345,7 @@
	31	sZeroKnowledgePasswordAuthentication, sHostCertificate,
	32	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
	33	sKexAlgorithms, sIPQoS,
	34	+ sDebianBanner,
	35	sDeprecated, sUnsupported
	36	} ServerOpCodes;
	37
	38	@@ -477,6 +481,7 @@
	39	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
	40	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
	41	{ "ipqos", sIPQoS, SSHCFG_ALL },
	42	+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
	43	{ NULL, sBadOption, 0 }
	44	};
	45
	46	@@ -1439,6 +1444,10 @@
	47	}
	48	break;
	49
	50	+ case sDebianBanner:
	51	+ intptr = &options->debian_banner;
	52	+ goto parse_int;
	53	+
	54	case sDeprecated:
	55	logit("%s line %d: Deprecated option %s",
	56	filename, linenum, arg);
	57	Index: b/servconf.h
	58	===================================================================
	59	--- a/servconf.h
	60	+++ b/servconf.h
	61	@@ -160,6 +160,8 @@
	62
	63	int num_permitted_opens;
	64
	65	+ int debian_banner;
	66	+
	67	char *chroot_directory;
	68	char *revoked_keys_file;
	69	char *trusted_user_ca_keys;
	70	Index: b/sshd.c
	71	===================================================================
	72	--- a/sshd.c
	73	+++ b/sshd.c
	74	@@ -422,7 +422,8 @@
	75	minor = PROTOCOL_MINOR_1;
	76	}
	77	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
	78	- SSH_RELEASE, newline);
	79	+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
	80	+ newline);
	81	server_version_string = xstrdup(buf);
	82
	83	/* Send our protocol version identification. */
	84	Index: b/sshd_config.5
	85	===================================================================
	86	--- a/sshd_config.5
	87	+++ b/sshd_config.5
	88	@@ -339,6 +339,11 @@
	89	.Dq no .
	90	The default is
	91	.Dq delayed .
	92	+.It Cm DebianBanner
	93	+Specifies whether the distribution-specified extra version suffix is
	94	+included during initial protocol handshake.
	95	+The default is
	96	+.Dq yes .
	97	.It Cm DenyGroups
	98	This keyword can be followed by a list of group name patterns, separated
	99	by spaces.