Description: Add DebianBanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Author: Kees Cook Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2010-02-28 Index: b/servconf.c =================================================================== --- a/servconf.c +++ b/servconf.c @@ -136,6 +136,7 @@ options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; options->authorized_principals_file = NULL; + options->debian_banner = -1; } void @@ -278,6 +279,8 @@ options->permit_tun = SSH_TUNMODE_NO; if (options->zero_knowledge_password_authentication == -1) options->zero_knowledge_password_authentication = 0; + if (options->debian_banner == -1) + options->debian_banner = 1; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -326,6 +329,7 @@ sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sDebianBanner, sDeprecated, sUnsupported } ServerOpCodes; @@ -459,6 +463,7 @@ { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1392,6 +1397,10 @@ charptr = &options->revoked_keys_file; goto parse_filename; + case sDebianBanner: + intptr = &options->debian_banner; + goto parse_int; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); Index: b/servconf.h =================================================================== --- a/servconf.h +++ b/servconf.h @@ -157,6 +157,8 @@ int num_permitted_opens; + int debian_banner; + char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; Index: b/sshd.c =================================================================== --- a/sshd.c +++ b/sshd.c @@ -422,7 +422,8 @@ minor = PROTOCOL_MINOR_1; } snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, - SSH_RELEASE, newline); + options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, + newline); server_version_string = xstrdup(buf); /* Send our protocol version identification. */ Index: b/sshd_config.5 =================================================================== --- a/sshd_config.5 +++ b/sshd_config.5 @@ -340,6 +340,11 @@ .Dq no . The default is .Dq delayed . +.It Cm DebianBanner +Specifies whether the distribution-specified extra version suffix is +included during initial protocol handshake. +The default is +.Dq yes . .It Cm DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces.