From 8f693762755211b20d50f7e0b963bd1c3955c4b7 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2025-04-11 Patch-Name: debian-banner.patch --- kex.c | 5 +++-- kex.h | 2 +- servconf.c | 10 ++++++++++ servconf.h | 2 ++ sshconnect.c | 2 +- sshd-session.c | 2 +- sshd_config.5 | 5 +++++ 7 files changed, 23 insertions(+), 5 deletions(-) diff --git a/kex.c b/kex.c index 19b1fcaa8..ca6d5b53d 100644 --- a/kex.c +++ b/kex.c @@ -1237,7 +1237,7 @@ send_error(struct ssh *ssh, char *msg) */ int kex_exchange_identification(struct ssh *ssh, int timeout_ms, - const char *version_addendum) + int debian_banner, const char *version_addendum) { int remote_major, remote_minor, mismatch, oerrno = 0; size_t len, n; @@ -1255,7 +1255,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, if (version_addendum != NULL && *version_addendum == '\0') version_addendum = NULL; if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, + debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, version_addendum == NULL ? "" : " ", version_addendum == NULL ? "" : version_addendum)) != 0) { oerrno = errno; diff --git a/kex.h b/kex.h index cd6a40333..6a08023d0 100644 --- a/kex.h +++ b/kex.h @@ -215,7 +215,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], const char *, const char *, const char *, const char *, const char *); void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]); -int kex_exchange_identification(struct ssh *, int, const char *); +int kex_exchange_identification(struct ssh *, int, int, const char *); struct kex *kex_new(void); int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); diff --git a/servconf.c b/servconf.c index d2025592a..4891a43d6 100644 --- a/servconf.c +++ b/servconf.c @@ -221,6 +221,7 @@ initialize_server_options(ServerOptions *options) options->sshd_session_path = NULL; options->sshd_auth_path = NULL; options->refuse_connection = -1; + options->debian_banner = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -511,6 +512,8 @@ fill_default_server_options(ServerOptions *options) options->sshd_auth_path = xstrdup(_PATH_SSHD_AUTH); if (options->refuse_connection == -1) options->refuse_connection = 0; + if (options->debian_banner == -1) + options->debian_banner = 1; assemble_algorithms(options); @@ -595,6 +598,7 @@ typedef enum { sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, sSshdSessionPath, sSshdAuthPath, sRefuseConnection, + sDebianBanner, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -775,6 +779,7 @@ static struct { { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL }, { "sshdauthpath", sSshdAuthPath, SSHCFG_GLOBAL }, { "refuseconnection", sRefuseConnection, SSHCFG_ALL }, + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -2773,6 +2778,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, multistate_ptr = multistate_flag; goto parse_multistate; + case sDebianBanner: + intptr = &options->debian_banner; + goto parse_flag; + case sDeprecated: case sIgnore: case sUnsupported: @@ -3328,6 +3337,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); dump_cfg_fmtint(sRefuseConnection, o->refuse_connection); + dump_cfg_fmtint(sDebianBanner, o->debian_banner); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff --git a/servconf.h b/servconf.h index c3f501400..b510992e3 100644 --- a/servconf.h +++ b/servconf.h @@ -255,6 +255,8 @@ typedef struct { char *sshd_auth_path; int refuse_connection; + + int debian_banner; } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/sshconnect.c b/sshconnect.c index 54de157db..59f66c534 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1611,7 +1611,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, lowercase(host); /* Exchange protocol version identification strings with the server. */ - if ((r = kex_exchange_identification(ssh, timeout_ms, + if ((r = kex_exchange_identification(ssh, timeout_ms, 1, options.version_addendum)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); diff --git a/sshd-session.c b/sshd-session.c index 372a610b3..2b6d2a98b 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -1295,7 +1295,7 @@ main(int ac, char **av) fatal("login grace time setitimer failed"); } - if ((r = kex_exchange_identification(ssh, -1, + if ((r = kex_exchange_identification(ssh, -1, options.debian_banner, options.version_addendum)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); diff --git a/sshd_config.5 b/sshd_config.5 index b79e8a3ee..677567908 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -629,6 +629,11 @@ or .Cm no . The default is .Cm yes . +.It Cm DebianBanner +Specifies whether the distribution-specified extra version suffix is +included during initial protocol handshake. +The default is +.Cm yes . .It Cm DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces.