1 files changed, 163 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 000000000..0d998fdd4
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,163 @@
+From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@debian.org>
+Date: Sun, 9 Feb 2014 16:10:06 +0000
+Subject: Add DebianBanner server configuration option
+Setting this to "no" causes sshd to omit the Debian revision from its
+initial protocol handshake, for those scared by package-versioning.patch.
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2020-02-21
+Patch-Name: debian-banner.patch
+---
+ kex.c         | 5 +++--
+ kex.h         | 2 +-
+ servconf.c    | 9 +++++++++
+ servconf.h    | 2 ++
+ sshconnect.c  | 2 +-
+ sshd.c        | 3 ++-
+ sshd_config.5 | 5 +++++
+ 7 files changed, 23 insertions(+), 5 deletions(-)
+diff --git a/kex.c b/kex.c
+index f638942d3..2abfbb95a 100644
+--- a/kex.c
+++ b/kex.c
+@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
+  */
+ int
+ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+-    const char *version_addendum)
+    int debian_banner, const char *version_addendum)
+ {
+        int remote_major, remote_minor, mismatch;
+        size_t len, i, n;
+@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+        if (version_addendum != NULL && *version_addendum == '\0')
+                version_addendum = NULL;
+        if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-          PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+          PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+           debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+            version_addendum == NULL ? "" : " ",
+            version_addendum == NULL ? "" : version_addendum)) != 0) {
+                error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
+diff --git a/kex.h b/kex.h
+index fe7141414..938dca03b 100644
+--- a/kex.h
+++ b/kex.h
+@@ -194,7 +194,7 @@ char        *kex_names_cat(const char *, const char *);
+ int     kex_assemble_names(char **, const char *, const char *);
+ int     kex_gss_names_valid(const char *);
+ 
+-int     kex_exchange_identification(struct ssh *, int, const char *);
+int     kex_exchange_identification(struct ssh *, int, int, const char *);
+ 
+ struct kex *kex_new(void);
+ int     kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
+diff --git a/servconf.c b/servconf.c
+index bf3cd84a4..7bbc25c2e 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
+        options->fingerprint_hash = -1;
+        options->disable_forwarding = -1;
+        options->expose_userauth_info = -1;
+       options->debian_banner = -1;
+ }
+ 
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
+                options->expose_userauth_info = 0;
+        if (options->sk_provider == NULL)
+                options->sk_provider = xstrdup("internal");
+       if (options->debian_banner == -1)
+               options->debian_banner = 1;
+ 
+        assemble_algorithms(options);
+ 
+@@ -556,6 +559,7 @@ typedef enum {
+        sStreamLocalBindMask, sStreamLocalBindUnlink,
+        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+        sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+       sDebianBanner,
+        sDeprecated, sIgnore, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -719,6 +723,7 @@ static struct {
+        { "rdomain", sRDomain, SSHCFG_ALL },
+        { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+        { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
+ };
+ 
+@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+                        *charptr = xstrdup(arg);
+                break;
+ 
+       case sDebianBanner:
+               intptr = &options->debian_banner;
+               goto parse_flag;
+
+        case sDeprecated:
+        case sIgnore:
+        case sUnsupported:
+diff --git a/servconf.h b/servconf.h
+index 3f47ea25e..3fa05fcac 100644
+--- a/servconf.h
+++ b/servconf.h
+@@ -221,6 +221,8 @@ typedef struct {
+        int     expose_userauth_info;
+        u_int64_t timing_secret;
+        char   *sk_provider;
+
+       int     debian_banner;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
+diff --git a/sshconnect.c b/sshconnect.c
+index b796d3c8a..9f2412e0d 100644
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+        lowercase(host);
+ 
+        /* Exchange protocol version identification strings with the server. */
+-       if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
+       if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
+                cleanup_exit(255); /* error already logged */
+ 
+        /* Put the connection into non-blocking mode. */
+diff --git a/sshd.c b/sshd.c
+index 65916fc6d..da876a900 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2187,7 +2187,8 @@ main(int ac, char **av)
+        if (!debug_flag)
+                alarm(options.login_grace_time);
+ 
+-       if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
+       if (kex_exchange_identification(ssh, -1, options.debian_banner,
+           options.version_addendum) != 0)
+                cleanup_exit(255); /* error already logged */
+ 
+        ssh_packet_set_nonblocking(ssh);
+diff --git a/sshd_config.5 b/sshd_config.5
+index ebd09f891..c926f584c 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -542,6 +542,11 @@ or
+ .Cm no .
+ The default is
+ .Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..0d998fdd4 --- /dev/null +++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,163 @@
	1	From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <kees@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:06 +0000
	4	Subject: Add DebianBanner server configuration option
	5
	6	Setting this to "no" causes sshd to omit the Debian revision from its
	7	initial protocol handshake, for those scared by package-versioning.patch.
	8
	9	Bug-Debian: http://bugs.debian.org/562048
	10	Forwarded: not-needed
	11	Last-Update: 2020-02-21
	12
	13	Patch-Name: debian-banner.patch
	14	---
	15	kex.c \| 5 +++--
	16	kex.h \| 2 +-
	17	servconf.c \| 9 +++++++++
	18	servconf.h \| 2 ++
	19	sshconnect.c \| 2 +-
	20	sshd.c \| 3 ++-
	21	sshd_config.5 \| 5 +++++
	22	7 files changed, 23 insertions(+), 5 deletions(-)
	23
	24	diff --git a/kex.c b/kex.c
	25	index f638942d3..2abfbb95a 100644
	26	--- a/kex.c
	27	+++ b/kex.c
	28	@@ -1226,7 +1226,7 @@ send_error(struct ssh ssh, char msg)
	29	*/
	30	int
	31	kex_exchange_identification(struct ssh *ssh, int timeout_ms,
	32	- const char *version_addendum)
	33	+ int debian_banner, const char *version_addendum)
	34	{
	35	int remote_major, remote_minor, mismatch;
	36	size_t len, i, n;
	37	@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
	38	if (version_addendum != NULL && *version_addendum == '\0')
	39	version_addendum = NULL;
	40	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
	41	- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
	42	+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
	43	+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
	44	version_addendum == NULL ? "" : " ",
	45	version_addendum == NULL ? "" : version_addendum)) != 0) {
	46	error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
	47	diff --git a/kex.h b/kex.h
	48	index fe7141414..938dca03b 100644
	49	--- a/kex.h
	50	+++ b/kex.h
	51	@@ -194,7 +194,7 @@ char kex_names_cat(const char , const char *);
	52	int kex_assemble_names(char *, const char , const char *);
	53	int kex_gss_names_valid(const char *);
	54
	55	-int kex_exchange_identification(struct ssh , int, const char );
	56	+int kex_exchange_identification(struct ssh , int, int, const char );
	57
	58	struct kex *kex_new(void);
	59	int kex_ready(struct ssh , char [PROPOSAL_MAX]);
	60	diff --git a/servconf.c b/servconf.c
	61	index bf3cd84a4..7bbc25c2e 100644
	62	--- a/servconf.c
	63	+++ b/servconf.c
	64	@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
	65	options->fingerprint_hash = -1;
	66	options->disable_forwarding = -1;
	67	options->expose_userauth_info = -1;
	68	+ options->debian_banner = -1;
	69	}
	70
	71	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
	72	@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
	73	options->expose_userauth_info = 0;
	74	if (options->sk_provider == NULL)
	75	options->sk_provider = xstrdup("internal");
	76	+ if (options->debian_banner == -1)
	77	+ options->debian_banner = 1;
	78
	79	assemble_algorithms(options);
	80
	81	@@ -556,6 +559,7 @@ typedef enum {
	82	sStreamLocalBindMask, sStreamLocalBindUnlink,
	83	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
	84	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
	85	+ sDebianBanner,
	86	sDeprecated, sIgnore, sUnsupported
	87	} ServerOpCodes;
	88
	89	@@ -719,6 +723,7 @@ static struct {
	90	{ "rdomain", sRDomain, SSHCFG_ALL },
	91	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
	92	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
	93	+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
	94	{ NULL, sBadOption, 0 }
	95	};
	96
	97	@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions options, char line,
	98	*charptr = xstrdup(arg);
	99	break;
	100
	101	+ case sDebianBanner:
	102	+ intptr = &options->debian_banner;
	103	+ goto parse_flag;
	104	+
	105	case sDeprecated:
	106	case sIgnore:
	107	case sUnsupported:
	108	diff --git a/servconf.h b/servconf.h
	109	index 3f47ea25e..3fa05fcac 100644
	110	--- a/servconf.h
	111	+++ b/servconf.h
	112	@@ -221,6 +221,8 @@ typedef struct {
	113	int expose_userauth_info;
	114	u_int64_t timing_secret;
	115	char *sk_provider;
	116	+
	117	+ int debian_banner;
	118	} ServerOptions;
	119
	120	/* Information about the incoming connection as used by Match */
	121	diff --git a/sshconnect.c b/sshconnect.c
	122	index b796d3c8a..9f2412e0d 100644
	123	--- a/sshconnect.c
	124	+++ b/sshconnect.c
	125	@@ -1292,7 +1292,7 @@ ssh_login(struct ssh ssh, Sensitive sensitive, const char *orighost,
	126	lowercase(host);
	127
	128	/* Exchange protocol version identification strings with the server. */
	129	- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
	130	+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
	131	cleanup_exit(255); /* error already logged */
	132
	133	/* Put the connection into non-blocking mode. */
	134	diff --git a/sshd.c b/sshd.c
	135	index 65916fc6d..da876a900 100644
	136	--- a/sshd.c
	137	+++ b/sshd.c
	138	@@ -2187,7 +2187,8 @@ main(int ac, char **av)
	139	if (!debug_flag)
	140	alarm(options.login_grace_time);
	141
	142	- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
	143	+ if (kex_exchange_identification(ssh, -1, options.debian_banner,
	144	+ options.version_addendum) != 0)
	145	cleanup_exit(255); /* error already logged */
	146
	147	ssh_packet_set_nonblocking(ssh);
	148	diff --git a/sshd_config.5 b/sshd_config.5
	149	index ebd09f891..c926f584c 100644
	150	--- a/sshd_config.5
	151	+++ b/sshd_config.5
	152	@@ -542,6 +542,11 @@ or
	153	.Cm no .
	154	The default is
	155	.Cm yes .
	156	+.It Cm DebianBanner
	157	+Specifies whether the distribution-specified extra version suffix is
	158	+included during initial protocol handshake.
	159	+The default is
	160	+.Cm yes .
	161	.It Cm DenyGroups
	162	This keyword can be followed by a list of group name patterns, separated
	163	by spaces.