1 files changed, 162 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 000000000..82cc37c1b
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,162 @@
+From 6353ee79cc71ef33a0a34d2d769a5fe327f6260d Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@debian.org>
+Date: Sun, 9 Feb 2014 16:10:06 +0000
+Subject: Add DebianBanner server configuration option
+Setting this to "no" causes sshd to omit the Debian revision from its
+initial protocol handshake, for those scared by package-versioning.patch.
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2020-06-07
+Patch-Name: debian-banner.patch
+---
+ kex.c         | 5 +++--
+ kex.h         | 2 +-
+ servconf.c    | 9 +++++++++
+ servconf.h    | 2 ++
+ sshconnect.c  | 2 +-
+ sshd.c        | 2 +-
+ sshd_config.5 | 5 +++++
+ 7 files changed, 22 insertions(+), 5 deletions(-)
+diff --git a/kex.c b/kex.c
+index ce7bb5b3b..763c45536 100644
+--- a/kex.c
+++ b/kex.c
+@@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg)
+  */
+ int
+ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+-    const char *version_addendum)
+    int debian_banner, const char *version_addendum)
+ {
+        int remote_major, remote_minor, mismatch, oerrno = 0;
+        size_t len, i, n;
+@@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+        if (version_addendum != NULL && *version_addendum == '\0')
+                version_addendum = NULL;
+        if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-          PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+          PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+           debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+            version_addendum == NULL ? "" : " ",
+            version_addendum == NULL ? "" : version_addendum)) != 0) {
+                oerrno = errno;
+diff --git a/kex.h b/kex.h
+index fe7141414..938dca03b 100644
+--- a/kex.h
+++ b/kex.h
+@@ -194,7 +194,7 @@ char        *kex_names_cat(const char *, const char *);
+ int     kex_assemble_names(char **, const char *, const char *);
+ int     kex_gss_names_valid(const char *);
+ 
+-int     kex_exchange_identification(struct ssh *, int, const char *);
+int     kex_exchange_identification(struct ssh *, int, int, const char *);
+ 
+ struct kex *kex_new(void);
+ int     kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
+diff --git a/servconf.c b/servconf.c
+index 21abe41ac..f9eb778d6 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
+        options->fingerprint_hash = -1;
+        options->disable_forwarding = -1;
+        options->expose_userauth_info = -1;
+       options->debian_banner = -1;
+ }
+ 
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -469,6 +470,8 @@ fill_default_server_options(ServerOptions *options)
+                options->expose_userauth_info = 0;
+        if (options->sk_provider == NULL)
+                options->sk_provider = xstrdup("internal");
+       if (options->debian_banner == -1)
+               options->debian_banner = 1;
+ 
+        assemble_algorithms(options);
+ 
+@@ -548,6 +551,7 @@ typedef enum {
+        sStreamLocalBindMask, sStreamLocalBindUnlink,
+        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+        sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+       sDebianBanner,
+        sDeprecated, sIgnore, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -712,6 +716,7 @@ static struct {
+        { "rdomain", sRDomain, SSHCFG_ALL },
+        { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+        { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+        { NULL, sBadOption, 0 }
+ };
+ 
+@@ -2402,6 +2407,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+                        *charptr = xstrdup(arg);
+                break;
+ 
+       case sDebianBanner:
+               intptr = &options->debian_banner;
+               goto parse_flag;
+
+        case sDeprecated:
+        case sIgnore:
+        case sUnsupported:
+diff --git a/servconf.h b/servconf.h
+index f10908e5b..4afdf24d0 100644
+--- a/servconf.h
+++ b/servconf.h
+@@ -227,6 +227,8 @@ typedef struct {
+        int     expose_userauth_info;
+        u_int64_t timing_secret;
+        char   *sk_provider;
+
+       int     debian_banner;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
+diff --git a/sshconnect.c b/sshconnect.c
+index 3ae20b74e..bab3916d8 100644
+--- a/sshconnect.c
+++ b/sshconnect.c
+@@ -1296,7 +1296,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+        lowercase(host);
+ 
+        /* Exchange protocol version identification strings with the server. */
+-       if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+       if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0)
+                sshpkt_fatal(ssh, r, "banner exchange");
+ 
+        /* Put the connection into non-blocking mode. */
+diff --git a/sshd.c b/sshd.c
+index 38d281ab4..50f2726bf 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2232,7 +2232,7 @@ main(int ac, char **av)
+        if (!debug_flag)
+                alarm(options.login_grace_time);
+ 
+-       if ((r = kex_exchange_identification(ssh, -1,
+       if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
+            options.version_addendum)) != 0)
+                sshpkt_fatal(ssh, r, "banner exchange");
+ 
+diff --git a/sshd_config.5 b/sshd_config.5
+index 6457620bb..33dc0c675 100644
+--- a/sshd_config.5
+++ b/sshd_config.5
+@@ -540,6 +540,11 @@ or
+ .Cm no .
+ The default is
+ .Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..82cc37c1b --- /dev/null +++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,162 @@
	1	From 6353ee79cc71ef33a0a34d2d769a5fe327f6260d Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <kees@debian.org>
	3	Date: Sun, 9 Feb 2014 16:10:06 +0000
	4	Subject: Add DebianBanner server configuration option
	5
	6	Setting this to "no" causes sshd to omit the Debian revision from its
	7	initial protocol handshake, for those scared by package-versioning.patch.
	8
	9	Bug-Debian: http://bugs.debian.org/562048
	10	Forwarded: not-needed
	11	Last-Update: 2020-06-07
	12
	13	Patch-Name: debian-banner.patch
	14	---
	15	kex.c \| 5 +++--
	16	kex.h \| 2 +-
	17	servconf.c \| 9 +++++++++
	18	servconf.h \| 2 ++
	19	sshconnect.c \| 2 +-
	20	sshd.c \| 2 +-
	21	sshd_config.5 \| 5 +++++
	22	7 files changed, 22 insertions(+), 5 deletions(-)
	23
	24	diff --git a/kex.c b/kex.c
	25	index ce7bb5b3b..763c45536 100644
	26	--- a/kex.c
	27	+++ b/kex.c
	28	@@ -1225,7 +1225,7 @@ send_error(struct ssh ssh, char msg)
	29	*/
	30	int
	31	kex_exchange_identification(struct ssh *ssh, int timeout_ms,
	32	- const char *version_addendum)
	33	+ int debian_banner, const char *version_addendum)
	34	{
	35	int remote_major, remote_minor, mismatch, oerrno = 0;
	36	size_t len, i, n;
	37	@@ -1243,7 +1243,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
	38	if (version_addendum != NULL && *version_addendum == '\0')
	39	version_addendum = NULL;
	40	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
	41	- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
	42	+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
	43	+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
	44	version_addendum == NULL ? "" : " ",
	45	version_addendum == NULL ? "" : version_addendum)) != 0) {
	46	oerrno = errno;
	47	diff --git a/kex.h b/kex.h
	48	index fe7141414..938dca03b 100644
	49	--- a/kex.h
	50	+++ b/kex.h
	51	@@ -194,7 +194,7 @@ char kex_names_cat(const char , const char *);
	52	int kex_assemble_names(char *, const char , const char *);
	53	int kex_gss_names_valid(const char *);
	54
	55	-int kex_exchange_identification(struct ssh , int, const char );
	56	+int kex_exchange_identification(struct ssh , int, int, const char );
	57
	58	struct kex *kex_new(void);
	59	int kex_ready(struct ssh , char [PROPOSAL_MAX]);
	60	diff --git a/servconf.c b/servconf.c
	61	index 21abe41ac..f9eb778d6 100644
	62	--- a/servconf.c
	63	+++ b/servconf.c
	64	@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
	65	options->fingerprint_hash = -1;
	66	options->disable_forwarding = -1;
	67	options->expose_userauth_info = -1;
	68	+ options->debian_banner = -1;
	69	}
	70
	71	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
	72	@@ -469,6 +470,8 @@ fill_default_server_options(ServerOptions *options)
	73	options->expose_userauth_info = 0;
	74	if (options->sk_provider == NULL)
	75	options->sk_provider = xstrdup("internal");
	76	+ if (options->debian_banner == -1)
	77	+ options->debian_banner = 1;
	78
	79	assemble_algorithms(options);
	80
	81	@@ -548,6 +551,7 @@ typedef enum {
	82	sStreamLocalBindMask, sStreamLocalBindUnlink,
	83	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
	84	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
	85	+ sDebianBanner,
	86	sDeprecated, sIgnore, sUnsupported
	87	} ServerOpCodes;
	88
	89	@@ -712,6 +716,7 @@ static struct {
	90	{ "rdomain", sRDomain, SSHCFG_ALL },
	91	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
	92	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
	93	+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
	94	{ NULL, sBadOption, 0 }
	95	};
	96
	97	@@ -2402,6 +2407,10 @@ process_server_config_line_depth(ServerOptions options, char line,
	98	*charptr = xstrdup(arg);
	99	break;
	100
	101	+ case sDebianBanner:
	102	+ intptr = &options->debian_banner;
	103	+ goto parse_flag;
	104	+
	105	case sDeprecated:
	106	case sIgnore:
	107	case sUnsupported:
	108	diff --git a/servconf.h b/servconf.h
	109	index f10908e5b..4afdf24d0 100644
	110	--- a/servconf.h
	111	+++ b/servconf.h
	112	@@ -227,6 +227,8 @@ typedef struct {
	113	int expose_userauth_info;
	114	u_int64_t timing_secret;
	115	char *sk_provider;
	116	+
	117	+ int debian_banner;
	118	} ServerOptions;
	119
	120	/* Information about the incoming connection as used by Match */
	121	diff --git a/sshconnect.c b/sshconnect.c
	122	index 3ae20b74e..bab3916d8 100644
	123	--- a/sshconnect.c
	124	+++ b/sshconnect.c
	125	@@ -1296,7 +1296,7 @@ ssh_login(struct ssh ssh, Sensitive sensitive, const char *orighost,
	126	lowercase(host);
	127
	128	/* Exchange protocol version identification strings with the server. */
	129	- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
	130	+ if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0)
	131	sshpkt_fatal(ssh, r, "banner exchange");
	132
	133	/* Put the connection into non-blocking mode. */
	134	diff --git a/sshd.c b/sshd.c
	135	index 38d281ab4..50f2726bf 100644
	136	--- a/sshd.c
	137	+++ b/sshd.c
	138	@@ -2232,7 +2232,7 @@ main(int ac, char **av)
	139	if (!debug_flag)
	140	alarm(options.login_grace_time);
	141
	142	- if ((r = kex_exchange_identification(ssh, -1,
	143	+ if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
	144	options.version_addendum)) != 0)
	145	sshpkt_fatal(ssh, r, "banner exchange");
	146
	147	diff --git a/sshd_config.5 b/sshd_config.5
	148	index 6457620bb..33dc0c675 100644
	149	--- a/sshd_config.5
	150	+++ b/sshd_config.5
	151	@@ -540,6 +540,11 @@ or
	152	.Cm no .
	153	The default is
	154	.Cm yes .
	155	+.It Cm DebianBanner
	156	+Specifies whether the distribution-specified extra version suffix is
	157	+included during initial protocol handshake.
	158	+The default is
	159	+.Cm yes .
	160	.It Cm DenyGroups
	161	This keyword can be followed by a list of group name patterns, separated
	162	by spaces.