1 files changed, 162 insertions, 0 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
new file mode 100644
index 0000000..2c32879
--- /dev/null
+++ b/debian/patches/debian-banner.patch
@@ -0,0 +1,162 @@
+From 2d3ac49df11f0aed81f35ce9588eb2c578ec98f2 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@debian.org>
+Date: Sun, 9 Feb 2014 16:10:06 +0000
+Subject: Add DebianBanner server configuration option
+
+Setting this to "no" causes sshd to omit the Debian revision from its
+initial protocol handshake, for those scared by package-versioning.patch.
+
+Bug-Debian: http://bugs.debian.org/562048
+Forwarded: not-needed
+Last-Update: 2023-01-02
+
+Patch-Name: debian-banner.patch
+---
+ kex.c         | 5 +++--
+ kex.h         | 2 +-
+ servconf.c    | 9 +++++++++
+ servconf.h    | 2 ++
+ sshconnect.c  | 2 +-
+ sshd.c        | 2 +-
+ sshd_config.5 | 5 +++++
+ 7 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/kex.c b/kex.c
+index 32858e65c..e7b7316c7 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1272,7 +1272,7 @@ send_error(struct ssh *ssh, char *msg)
+  */
+ int
+ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+-    const char *version_addendum)
++    int debian_banner, const char *version_addendum)
+ {
+ 	int remote_major, remote_minor, mismatch, oerrno = 0;
+ 	size_t len, n;
+@@ -1290,7 +1290,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+ 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
++	    debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+ 		oerrno = errno;
+diff --git a/kex.h b/kex.h
+index 240dca89d..e356f5ed0 100644
+--- a/kex.h
++++ b/kex.h
+@@ -200,7 +200,7 @@ char	*kex_names_cat(const char *, const char *);
+ int	 kex_assemble_names(char **, const char *, const char *);
+ int	 kex_gss_names_valid(const char *);
+ 
+-int	 kex_exchange_identification(struct ssh *, int, const char *);
++int	 kex_exchange_identification(struct ssh *, int, int, const char *);
+ 
+ struct kex *kex_new(void);
+ int	 kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
+diff --git a/servconf.c b/servconf.c
+index 6529f2736..4ecbca8ed 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -203,6 +203,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->channel_timeouts = NULL;
+ 	options->num_channel_timeouts = 0;
+ 	options->unused_connection_timeout = -1;
++	options->debian_banner = -1;
+ }
+ 
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -461,6 +462,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
+ 	if (options->unused_connection_timeout == -1)
+ 		options->unused_connection_timeout = 0;
++	if (options->debian_banner == -1)
++		options->debian_banner = 1;
+ 
+ 	assemble_algorithms(options);
+ 
+@@ -546,6 +549,7 @@ typedef enum {
+ 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ 	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ 	sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
++	sDebianBanner,
+ 	sDeprecated, sIgnore, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -719,6 +723,7 @@ static struct {
+ 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ 	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
+ 	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
++	{ "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
+ 	{ NULL, sBadOption, 0 }
+ };
+ 
+@@ -2596,6 +2601,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 		}
+ 		goto parse_time;
+ 
++	case sDebianBanner:
++		intptr = &options->debian_banner;
++		goto parse_flag;
++
+ 	case sDeprecated:
+ 	case sIgnore:
+ 	case sUnsupported:
+diff --git a/servconf.h b/servconf.h
+index 38a68d576..e142cf77a 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -238,6 +238,8 @@ typedef struct {
+ 	u_int	num_channel_timeouts;
+ 
+ 	int	unused_connection_timeout;
++
++	int	debian_banner;
+ }       ServerOptions;
+ 
+ /* Information about the incoming connection as used by Match */
+diff --git a/sshconnect.c b/sshconnect.c
+index 77a3080ba..dbb3c98a7 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1574,7 +1574,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+ 	lowercase(host);
+ 
+ 	/* Exchange protocol version identification strings with the server. */
+-	if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
++	if ((r = kex_exchange_identification(ssh, timeout_ms, 1, NULL)) != 0)
+ 		sshpkt_fatal(ssh, r, "banner exchange");
+ 
+ 	/* Put the connection into non-blocking mode. */
+diff --git a/sshd.c b/sshd.c
+index dd4a19131..b4ee435e5 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2238,7 +2238,7 @@ main(int ac, char **av)
+ 	if (!debug_flag)
+ 		alarm(options.login_grace_time);
+ 
+-	if ((r = kex_exchange_identification(ssh, -1,
++	if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
+ 	    options.version_addendum)) != 0)
+ 		sshpkt_fatal(ssh, r, "banner exchange");
+ 
+diff --git a/sshd_config.5 b/sshd_config.5
+index eb58750a5..2c6ec76cb 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -615,6 +615,11 @@ or
+ .Cm no .
+ The default is
+ .Cm yes .
++.It Cm DebianBanner
++Specifies whether the distribution-specified extra version suffix is
++included during initial protocol handshake.
++The default is
++.Cm yes .
+ .It Cm DenyGroups
+ This keyword can be followed by a list of group name patterns, separated
+ by spaces.