openkylin
/
openssh
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add DebianBanner server configuration option 

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-02-21

Patch-Name: debian-banner.patch

Gbp-Pq: Name debian-banner.patch
This commit is contained in:
Kees Cook 2014-02-09 16:10:06 +00:00 committed by Lu zhiping
parent 01585ac808
commit f93c6d7faf
7 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
kex.c
View File

@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
const char *version_addendum)
int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch;
size_t len, i, n;
@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));

2
kex.h
View File

@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
int kex_gss_names_valid(const char *);
int kex_exchange_identification(struct ssh *, int, const char *);
int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);

9
servconf.c
View File

@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
options->expose_userauth_info = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
if (options->debian_banner == -1)
options->debian_banner = 1;
assemble_algorithms(options);
@ -556,6 +559,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@ -719,6 +723,7 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
{ "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
*charptr = xstrdup(arg);
break;
case sDebianBanner:
intptr = &options->debian_banner;
goto parse_flag;
case sDeprecated:
case sIgnore:
case sUnsupported:

2
servconf.h
View File

@ -221,6 +221,8 @@ typedef struct {
int expose_userauth_info;
u_int64_t timing_secret;
char *sk_provider;
int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */

2
sshconnect.c
View File

@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
cleanup_exit(255); /* error already logged */
/* Put the connection into non-blocking mode. */

3
sshd.c
View File

@ -2187,7 +2187,8 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time);
if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
if (kex_exchange_identification(ssh, -1, options.debian_banner,
options.version_addendum) != 0)
cleanup_exit(255); /* error already logged */
ssh_packet_set_nonblocking(ssh);

5
sshd_config.5
View File

@ -542,6 +542,11 @@ or
.Cm no .
The default is
.Cm yes .
.It Cm DebianBanner
Specifies whether the distribution-specified extra version suffix is
included during initial protocol handshake.
The default is
.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.