horok/openssh
1
0
Fork 0
Code Activity
openssh/debian/patches/debian-banner.patch
Daniel Baumann 31f6d7a384
Adding debian version 1:10.0p1-5. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 09:50:02 +02:00

170 lines
5.6 KiB
Diff
Raw Permalink Blame History

From 8f693762755211b20d50f7e0b963bd1c3955c4b7 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2025-04-11
Patch-Name: debian-banner.patch
---
kex.c | 5 +++--
kex.h | 2 +-
servconf.c | 10 ++++++++++
servconf.h | 2 ++
sshconnect.c | 2 +-
sshd-session.c | 2 +-
sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index 19b1fcaa8..ca6d5b53d 100644
--- a/kex.c
+++ b/kex.c
@@ -1237,7 +1237,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
@@ -1255,7 +1255,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/kex.h b/kex.h
index cd6a40333..6a08023d0 100644
--- a/kex.h
+++ b/kex.h
@@ -215,7 +215,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index d2025592a..4891a43d6 100644
--- a/servconf.c
+++ b/servconf.c
@@ -221,6 +221,7 @@ initialize_server_options(ServerOptions *options)
options->sshd_session_path = NULL;
options->sshd_auth_path = NULL;
options->refuse_connection = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -511,6 +512,8 @@ fill_default_server_options(ServerOptions *options)
options->sshd_auth_path = xstrdup(_PATH_SSHD_AUTH);
if (options->refuse_connection == -1)
options->refuse_connection = 0;
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
@@ -595,6 +598,7 @@ typedef enum {
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
sSshdSessionPath, sSshdAuthPath, sRefuseConnection,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -775,6 +779,7 @@ static struct {
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
{ "sshdauthpath", sSshdAuthPath, SSHCFG_GLOBAL },
{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -2773,6 +2778,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
multistate_ptr = multistate_flag;
goto parse_multistate;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -3328,6 +3337,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
+ dump_cfg_fmtint(sDebianBanner, o->debian_banner);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
index c3f501400..b510992e3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -255,6 +255,8 @@ typedef struct {
char *sshd_auth_path;
int refuse_connection;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index 54de157db..59f66c534 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1611,7 +1611,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if ((r = kex_exchange_identification(ssh, timeout_ms,
+ if ((r = kex_exchange_identification(ssh, timeout_ms, 1,
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd-session.c b/sshd-session.c
index 372a610b3..2b6d2a98b 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1295,7 +1295,7 @@ main(int ac, char **av)
fatal("login grace time setitimer failed");
}
- if ((r = kex_exchange_identification(ssh, -1,
+ if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
index b79e8a3ee..677567908 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -629,6 +629,11 @@ or
.Cm no .
The default is
.Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.
View git blame Copy permalink