1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
From 0a938d856d024bfff79fac63e65df382ffa444a4 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: debian-banner.patch
---
kex.c | 5 +++--
kex.h | 2 +-
servconf.c | 9 +++++++++
servconf.h | 2 ++
sshconnect.c | 2 +-
sshd.c | 3 ++-
sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index be354206d..bbb7a2340 100644
--- a/kex.c
+++ b/kex.c
@@ -1168,7 +1168,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch;
size_t len, i, n;
@@ -1186,7 +1186,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/kex.h b/kex.h
index 2d5f1d4ed..39f67bbc1 100644
--- a/kex.h
+++ b/kex.h
@@ -195,7 +195,7 @@ char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
int kex_gss_names_valid(const char *);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index c01e0690e..8d2bced52 100644
--- a/servconf.c
+++ b/servconf.c
@@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options)
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -437,6 +438,8 @@ fill_default_server_options(ServerOptions *options)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
options->expose_userauth_info = 0;
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
@@ -523,6 +526,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -682,6 +686,7 @@ static struct {
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -2211,6 +2216,10 @@ process_server_config_line(ServerOptions *options, char *line,
*charptr = xstrdup(arg);
break;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
diff --git a/servconf.h b/servconf.h
index a476d5220..986093ffa 100644
--- a/servconf.h
+++ b/servconf.h
@@ -214,6 +214,8 @@ typedef struct {
int fingerprint_hash;
int expose_userauth_info;
u_int64_t timing_secret;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index 0b6f6af4b..1183ffe0e 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1287,7 +1287,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
cleanup_exit(255); /* error already logged */
/* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
index e3e96426e..1e7ece588 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2160,7 +2160,8 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time);
- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
+ if (kex_exchange_identification(ssh, -1, options.debian_banner,
+ options.version_addendum) != 0)
cleanup_exit(255); /* error already logged */
ssh_packet_set_nonblocking(ssh);
diff --git a/sshd_config.5 b/sshd_config.5
index 2ef671d1b..addea54a0 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -543,6 +543,11 @@ or
.Cm no .
The default is
.Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
|