Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-banner.patch Gbp-Pq: Name debian-banner.patch
This commit is contained in:
Kees Cook
Lu zhiping
parent
01585ac808
commit
f93c6d7faf
5
kex.c
5
kex.c
|
|
@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||||
const char *version_addendum)
|
int debian_banner, const char *version_addendum)
|
||||||
{
|
{
|
||||||
int remote_major, remote_minor, mismatch;
|
int remote_major, remote_minor, mismatch;
|
||||||
size_t len, i, n;
|
size_t len, i, n;
|
||||||
|
|
@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||||
if (version_addendum != NULL && *version_addendum == '\0')
|
if (version_addendum != NULL && *version_addendum == '\0')
|
||||||
version_addendum = NULL;
|
version_addendum = NULL;
|
||||||
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||||
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||||
|
debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
|
||||||
version_addendum == NULL ? "" : " ",
|
version_addendum == NULL ? "" : " ",
|
||||||
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
||||||
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
|
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
|
||||||
|
|
|
||||||
2
kex.h
2
kex.h
|
|
@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
|
||||||
int kex_assemble_names(char **, const char *, const char *);
|
int kex_assemble_names(char **, const char *, const char *);
|
||||||
int kex_gss_names_valid(const char *);
|
int kex_gss_names_valid(const char *);
|
||||||
|
|
||||||
int kex_exchange_identification(struct ssh *, int, const char *);
|
int kex_exchange_identification(struct ssh *, int, int, const char *);
|
||||||
|
|
||||||
struct kex *kex_new(void);
|
struct kex *kex_new(void);
|
||||||
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
|
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
|
||||||
|
|
|
||||||
|
|
@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
|
||||||
options->fingerprint_hash = -1;
|
options->fingerprint_hash = -1;
|
||||||
options->disable_forwarding = -1;
|
options->disable_forwarding = -1;
|
||||||
options->expose_userauth_info = -1;
|
options->expose_userauth_info = -1;
|
||||||
|
options->debian_banner = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||||
|
|
@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
|
||||||
options->expose_userauth_info = 0;
|
options->expose_userauth_info = 0;
|
||||||
if (options->sk_provider == NULL)
|
if (options->sk_provider == NULL)
|
||||||
options->sk_provider = xstrdup("internal");
|
options->sk_provider = xstrdup("internal");
|
||||||
|
if (options->debian_banner == -1)
|
||||||
|
options->debian_banner = 1;
|
||||||
|
|
||||||
assemble_algorithms(options);
|
assemble_algorithms(options);
|
||||||
|
|
||||||
|
|
@ -556,6 +559,7 @@ typedef enum {
|
||||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||||
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
||||||
|
sDebianBanner,
|
||||||
sDeprecated, sIgnore, sUnsupported
|
sDeprecated, sIgnore, sUnsupported
|
||||||
} ServerOpCodes;
|
} ServerOpCodes;
|
||||||
|
|
||||||
|
|
@ -719,6 +723,7 @@ static struct {
|
||||||
{ "rdomain", sRDomain, SSHCFG_ALL },
|
{ "rdomain", sRDomain, SSHCFG_ALL },
|
||||||
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
||||||
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
||||||
|
{ "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
|
||||||
{ NULL, sBadOption, 0 }
|
{ NULL, sBadOption, 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
*charptr = xstrdup(arg);
|
*charptr = xstrdup(arg);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case sDebianBanner:
|
||||||
|
intptr = &options->debian_banner;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
case sDeprecated:
|
case sDeprecated:
|
||||||
case sIgnore:
|
case sIgnore:
|
||||||
case sUnsupported:
|
case sUnsupported:
|
||||||
|
|
|
||||||
|
|
@ -221,6 +221,8 @@ typedef struct {
|
||||||
int expose_userauth_info;
|
int expose_userauth_info;
|
||||||
u_int64_t timing_secret;
|
u_int64_t timing_secret;
|
||||||
char *sk_provider;
|
char *sk_provider;
|
||||||
|
|
||||||
|
int debian_banner;
|
||||||
} ServerOptions;
|
} ServerOptions;
|
||||||
|
|
||||||
/* Information about the incoming connection as used by Match */
|
/* Information about the incoming connection as used by Match */
|
||||||
|
|
|
||||||
|
|
@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
|
||||||
lowercase(host);
|
lowercase(host);
|
||||||
|
|
||||||
/* Exchange protocol version identification strings with the server. */
|
/* Exchange protocol version identification strings with the server. */
|
||||||
if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
|
if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
|
||||||
cleanup_exit(255); /* error already logged */
|
cleanup_exit(255); /* error already logged */
|
||||||
|
|
||||||
/* Put the connection into non-blocking mode. */
|
/* Put the connection into non-blocking mode. */
|
||||||
|
|
|
||||||
3
sshd.c
3
sshd.c
|
|
@ -2187,7 +2187,8 @@ main(int ac, char **av)
|
||||||
if (!debug_flag)
|
if (!debug_flag)
|
||||||
alarm(options.login_grace_time);
|
alarm(options.login_grace_time);
|
||||||
|
|
||||||
if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
|
if (kex_exchange_identification(ssh, -1, options.debian_banner,
|
||||||
|
options.version_addendum) != 0)
|
||||||
cleanup_exit(255); /* error already logged */
|
cleanup_exit(255); /* error already logged */
|
||||||
|
|
||||||
ssh_packet_set_nonblocking(ssh);
|
ssh_packet_set_nonblocking(ssh);
|
||||||
|
|
|
||||||
|
|
@ -542,6 +542,11 @@ or
|
||||||
.Cm no .
|
.Cm no .
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
|
.It Cm DebianBanner
|
||||||
|
Specifies whether the distribution-specified extra version suffix is
|
||||||
|
included during initial protocol handshake.
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
.It Cm DenyGroups
|
.It Cm DenyGroups
|
||||||
This keyword can be followed by a list of group name patterns, separated
|
This keyword can be followed by a list of group name patterns, separated
|
||||||
by spaces.
|
by spaces.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue