1 files changed, 111 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 000000000..4d60c3c01
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,111 @@
+From 1b9f8f458824d7e46f9f749c77f26016f2ea9967 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@debian.org>
+Date: Sun, 9 Feb 2014 16:10:06 +0000
+Subject: Add DebianBanner server configuration option
+Setting this to "no" causes sshd to omit the Debian revision from its
+initial protocol handshake, for those scared by package-versioning.patch.
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2015-11-29
+Patch-Name: debian-banner.patch
+---
+ servconf.c    | 9 +++++++++
+ servconf.h    | 2 ++
+ sshd.c        | 3 ++-
+ sshd_config.5 | 5 +++++
+ 4 files changed, 18 insertions(+), 1 deletion(-)
+diff --git a/servconf.c b/servconf.c
+index fad7c92..8ca9695 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
+        options->ip_qos_bulk = -1;
+        options->version_addendum = NULL;
+        options->fingerprint_hash = -1;
+       options->debian_banner = -1;
+ }
+ 
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options)
+                options->fwd_opts.streamlocal_bind_unlink = 0;
+        if (options->fingerprint_hash == -1)
+                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+       if (options->debian_banner == -1)
+               options->debian_banner = 1;
+ 
+        assemble_algorithms(options);
+ 
+@@ -437,6 +440,7 @@ typedef enum {
+        sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+        sStreamLocalBindMask, sStreamLocalBindUnlink,
+        sAllowStreamLocalForwarding, sFingerprintHash,
+       sDebianBanner,
+        sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -588,6 +592,7 @@ static struct {
+        { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
+        { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
+        { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
+ };
+ 
+@@ -1874,6 +1879,10 @@ process_server_config_line(ServerOptions *options, char *line,
+                        options->fingerprint_hash = value;
+                break;
+ 
+       case sDebianBanner:
+               intptr = &options->debian_banner;
+               goto parse_int;
+
+        case sDeprecated:
+                logit("%s line %d: Deprecated option %s",
+                    filename, linenum, arg);
+diff --git a/servconf.h b/servconf.h
+index 778ba17..161fa37 100644
+--- a/servconf.h
+++ b/servconf.h
+@@ -197,6 +197,8 @@ typedef struct {
+        char   *auth_methods[MAX_AUTH_METHODS];
+ 
+        int     fingerprint_hash;
+
+       int     debian_banner;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
+diff --git a/sshd.c b/sshd.c
+index c762190..57ae4ad 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
+        }
+ 
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-           major, minor, SSH_RELEASE,
+           major, minor,
+           options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+            *options.version_addendum == '\0' ? "" : " ",
+            options.version_addendum, newline);
+ 
+diff --git a/sshd_config.5 b/sshd_config.5
+index bc79a66..b565640 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -534,6 +534,11 @@ or
+ .Dq no .
+ The default is
+ .Dq delayed .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..4d60c3c01 --- /dev/null +++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,111 @@
	1	From 1b9f8f458824d7e46f9f749c77f26016f2ea9967 Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <kees@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:06 +0000
	4	Subject: Add DebianBanner server configuration option
	5
	6	Setting this to "no" causes sshd to omit the Debian revision from its
	7	initial protocol handshake, for those scared by package-versioning.patch.
	8
	9	Bug-Debian: http://bugs.debian.org/562048
	10	Forwarded: not-needed
	11	Last-Update: 2015-11-29
	12
	13	Patch-Name: debian-banner.patch
	14	---
	15	servconf.c \| 9 +++++++++
	16	servconf.h \| 2 ++
	17	sshd.c \| 3 ++-
	18	sshd_config.5 \| 5 +++++
	19	4 files changed, 18 insertions(+), 1 deletion(-)
	20
	21	diff --git a/servconf.c b/servconf.c
	22	index fad7c92..8ca9695 100644
	23	--- a/servconf.c
	24	+++ b/servconf.c
	25	@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
	26	options->ip_qos_bulk = -1;
	27	options->version_addendum = NULL;
	28	options->fingerprint_hash = -1;
	29	+ options->debian_banner = -1;
	30	}
	31
	32	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
	33	@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options)
	34	options->fwd_opts.streamlocal_bind_unlink = 0;
	35	if (options->fingerprint_hash == -1)
	36	options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
	37	+ if (options->debian_banner == -1)
	38	+ options->debian_banner = 1;
	39
	40	assemble_algorithms(options);
	41
	42	@@ -437,6 +440,7 @@ typedef enum {
	43	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
	44	sStreamLocalBindMask, sStreamLocalBindUnlink,
	45	sAllowStreamLocalForwarding, sFingerprintHash,
	46	+ sDebianBanner,
	47	sDeprecated, sUnsupported
	48	} ServerOpCodes;
	49
	50	@@ -588,6 +592,7 @@ static struct {
	51	{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
	52	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
	53	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
	54	+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
	55	{ NULL, sBadOption, 0 }
	56	};
	57
	58	@@ -1874,6 +1879,10 @@ process_server_config_line(ServerOptions options, char line,
	59	options->fingerprint_hash = value;
	60	break;
	61
	62	+ case sDebianBanner:
	63	+ intptr = &options->debian_banner;
	64	+ goto parse_int;
	65	+
	66	case sDeprecated:
	67	logit("%s line %d: Deprecated option %s",
	68	filename, linenum, arg);
	69	diff --git a/servconf.h b/servconf.h
	70	index 778ba17..161fa37 100644
	71	--- a/servconf.h
	72	+++ b/servconf.h
	73	@@ -197,6 +197,8 @@ typedef struct {
	74	char *auth_methods[MAX_AUTH_METHODS];
	75
	76	int fingerprint_hash;
	77	+
	78	+ int debian_banner;
	79	} ServerOptions;
	80
	81	/* Information about the incoming connection as used by Match */
	82	diff --git a/sshd.c b/sshd.c
	83	index c762190..57ae4ad 100644
	84	--- a/sshd.c
	85	+++ b/sshd.c
	86	@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
	87	}
	88
	89	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
	90	- major, minor, SSH_RELEASE,
	91	+ major, minor,
	92	+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
	93	*options.version_addendum == '\0' ? "" : " ",
	94	options.version_addendum, newline);
	95
	96	diff --git a/sshd_config.5 b/sshd_config.5
	97	index bc79a66..b565640 100644
	98	--- a/sshd_config.5
	99	+++ b/sshd_config.5
	100	@@ -534,6 +534,11 @@ or
	101	.Dq no .
	102	The default is
	103	.Dq delayed .
	104	+.It Cm DebianBanner
	105	+Specifies whether the distribution-specified extra version suffix is
	106	+included during initial protocol handshake.
	107	+The default is
	108	+.Dq yes .
	109	.It Cm DenyGroups
	110	This keyword can be followed by a list of group name patterns, separated
	111	by spaces.