diff options
Diffstat (limited to 'debian/patches/debian-banner.patch')
-rw-r--r-- | debian/patches/debian-banner.patch | 94 |
1 files changed, 73 insertions, 21 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 7963b03ed..61e58e553 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a18385c6866da4d69f46b64626ae5d60b4cf4a66 Mon Sep 17 00:00:00 2001 | 1 | From 085c44daefaee16df97e1b2a0967b2140cc86de0 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,21 +8,60 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2018-10-19 | 11 | Last-Update: 2019-06-05 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
15 | kex.c | 5 +++-- | ||
16 | kex.h | 2 +- | ||
15 | servconf.c | 9 +++++++++ | 17 | servconf.c | 9 +++++++++ |
16 | servconf.h | 2 ++ | 18 | servconf.h | 2 ++ |
19 | sshconnect.c | 2 +- | ||
17 | sshd.c | 3 ++- | 20 | sshd.c | 3 ++- |
18 | sshd_config.5 | 5 +++++ | 21 | sshd_config.5 | 5 +++++ |
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 22 | 7 files changed, 23 insertions(+), 5 deletions(-) |
20 | 23 | ||
24 | diff --git a/kex.c b/kex.c | ||
25 | index be354206d..bbb7a2340 100644 | ||
26 | --- a/kex.c | ||
27 | +++ b/kex.c | ||
28 | @@ -1168,7 +1168,7 @@ send_error(struct ssh *ssh, char *msg) | ||
29 | */ | ||
30 | int | ||
31 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, | ||
32 | - const char *version_addendum) | ||
33 | + int debian_banner, const char *version_addendum) | ||
34 | { | ||
35 | int remote_major, remote_minor, mismatch; | ||
36 | size_t len, i, n; | ||
37 | @@ -1186,7 +1186,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | ||
38 | if (version_addendum != NULL && *version_addendum == '\0') | ||
39 | version_addendum = NULL; | ||
40 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | ||
41 | - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | ||
42 | + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, | ||
43 | + debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
44 | version_addendum == NULL ? "" : " ", | ||
45 | version_addendum == NULL ? "" : version_addendum)) != 0) { | ||
46 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | ||
47 | diff --git a/kex.h b/kex.h | ||
48 | index 2d5f1d4ed..39f67bbc1 100644 | ||
49 | --- a/kex.h | ||
50 | +++ b/kex.h | ||
51 | @@ -195,7 +195,7 @@ char *kex_names_cat(const char *, const char *); | ||
52 | int kex_assemble_names(char **, const char *, const char *); | ||
53 | int kex_gss_names_valid(const char *); | ||
54 | |||
55 | -int kex_exchange_identification(struct ssh *, int, const char *); | ||
56 | +int kex_exchange_identification(struct ssh *, int, int, const char *); | ||
57 | |||
58 | struct kex *kex_new(void); | ||
59 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); | ||
21 | diff --git a/servconf.c b/servconf.c | 60 | diff --git a/servconf.c b/servconf.c |
22 | index 6caf1db38..c5dd617ef 100644 | 61 | index c01e0690e..8d2bced52 100644 |
23 | --- a/servconf.c | 62 | --- a/servconf.c |
24 | +++ b/servconf.c | 63 | +++ b/servconf.c |
25 | @@ -182,6 +182,7 @@ initialize_server_options(ServerOptions *options) | 64 | @@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->fingerprint_hash = -1; | 65 | options->fingerprint_hash = -1; |
27 | options->disable_forwarding = -1; | 66 | options->disable_forwarding = -1; |
28 | options->expose_userauth_info = -1; | 67 | options->expose_userauth_info = -1; |
@@ -30,7 +69,7 @@ index 6caf1db38..c5dd617ef 100644 | |||
30 | } | 69 | } |
31 | 70 | ||
32 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 71 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
33 | @@ -417,6 +418,8 @@ fill_default_server_options(ServerOptions *options) | 72 | @@ -437,6 +438,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->disable_forwarding = 0; | 73 | options->disable_forwarding = 0; |
35 | if (options->expose_userauth_info == -1) | 74 | if (options->expose_userauth_info == -1) |
36 | options->expose_userauth_info = 0; | 75 | options->expose_userauth_info = 0; |
@@ -39,7 +78,7 @@ index 6caf1db38..c5dd617ef 100644 | |||
39 | 78 | ||
40 | assemble_algorithms(options); | 79 | assemble_algorithms(options); |
41 | 80 | ||
42 | @@ -504,6 +507,7 @@ typedef enum { | 81 | @@ -523,6 +526,7 @@ typedef enum { |
43 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 82 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
44 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 83 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
45 | sExposeAuthInfo, sRDomain, | 84 | sExposeAuthInfo, sRDomain, |
@@ -47,7 +86,7 @@ index 6caf1db38..c5dd617ef 100644 | |||
47 | sDeprecated, sIgnore, sUnsupported | 86 | sDeprecated, sIgnore, sUnsupported |
48 | } ServerOpCodes; | 87 | } ServerOpCodes; |
49 | 88 | ||
50 | @@ -661,6 +665,7 @@ static struct { | 89 | @@ -682,6 +686,7 @@ static struct { |
51 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 90 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
52 | { "rdomain", sRDomain, SSHCFG_ALL }, | 91 | { "rdomain", sRDomain, SSHCFG_ALL }, |
53 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | 92 | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
@@ -55,7 +94,7 @@ index 6caf1db38..c5dd617ef 100644 | |||
55 | { NULL, sBadOption, 0 } | 94 | { NULL, sBadOption, 0 } |
56 | }; | 95 | }; |
57 | 96 | ||
58 | @@ -2173,6 +2178,10 @@ process_server_config_line(ServerOptions *options, char *line, | 97 | @@ -2211,6 +2216,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | *charptr = xstrdup(arg); | 98 | *charptr = xstrdup(arg); |
60 | break; | 99 | break; |
61 | 100 | ||
@@ -67,10 +106,10 @@ index 6caf1db38..c5dd617ef 100644 | |||
67 | case sIgnore: | 106 | case sIgnore: |
68 | case sUnsupported: | 107 | case sUnsupported: |
69 | diff --git a/servconf.h b/servconf.h | 108 | diff --git a/servconf.h b/servconf.h |
70 | index 3b76da816..4e3c54042 100644 | 109 | index a476d5220..986093ffa 100644 |
71 | --- a/servconf.h | 110 | --- a/servconf.h |
72 | +++ b/servconf.h | 111 | +++ b/servconf.h |
73 | @@ -212,6 +212,8 @@ typedef struct { | 112 | @@ -214,6 +214,8 @@ typedef struct { |
74 | int fingerprint_hash; | 113 | int fingerprint_hash; |
75 | int expose_userauth_info; | 114 | int expose_userauth_info; |
76 | u_int64_t timing_secret; | 115 | u_int64_t timing_secret; |
@@ -79,22 +118,35 @@ index 3b76da816..4e3c54042 100644 | |||
79 | } ServerOptions; | 118 | } ServerOptions; |
80 | 119 | ||
81 | /* Information about the incoming connection as used by Match */ | 120 | /* Information about the incoming connection as used by Match */ |
121 | diff --git a/sshconnect.c b/sshconnect.c | ||
122 | index 0b6f6af4b..1183ffe0e 100644 | ||
123 | --- a/sshconnect.c | ||
124 | +++ b/sshconnect.c | ||
125 | @@ -1287,7 +1287,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, | ||
126 | lowercase(host); | ||
127 | |||
128 | /* Exchange protocol version identification strings with the server. */ | ||
129 | - if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) | ||
130 | + if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0) | ||
131 | cleanup_exit(255); /* error already logged */ | ||
132 | |||
133 | /* Put the connection into non-blocking mode. */ | ||
82 | diff --git a/sshd.c b/sshd.c | 134 | diff --git a/sshd.c b/sshd.c |
83 | index 9481272fc..d7e77d343 100644 | 135 | index e3e96426e..1e7ece588 100644 |
84 | --- a/sshd.c | 136 | --- a/sshd.c |
85 | +++ b/sshd.c | 137 | +++ b/sshd.c |
86 | @@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) | 138 | @@ -2160,7 +2160,8 @@ main(int ac, char **av) |
87 | char remote_version[256]; /* Must be at least as big as buf. */ | 139 | if (!debug_flag) |
140 | alarm(options.login_grace_time); | ||
88 | 141 | ||
89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", | 142 | - if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) |
90 | - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, | 143 | + if (kex_exchange_identification(ssh, -1, options.debian_banner, |
91 | + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, | 144 | + options.version_addendum) != 0) |
92 | + options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | 145 | cleanup_exit(255); /* error already logged */ |
93 | *options.version_addendum == '\0' ? "" : " ", | ||
94 | options.version_addendum); | ||
95 | 146 | ||
147 | ssh_packet_set_nonblocking(ssh); | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 148 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index e7e55dd71..37e6be38f 100644 | 149 | index 2ef671d1b..addea54a0 100644 |
98 | --- a/sshd_config.5 | 150 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 151 | +++ b/sshd_config.5 |
100 | @@ -543,6 +543,11 @@ or | 152 | @@ -543,6 +543,11 @@ or |