Bug#562048: allow for the package-specific version banner to be suppressed
Package: openssh
Version: 1:5.1p1-8
Severity: wishlist
Tags: patch
Hi!
It is sometimes desirable to suppress the exact package version of
openssh that is reported during the initial protocol handshake.
While attempts we made to more completely deal with this upstream were
rejected[1], the "EXTRAVERSION" variable appears to be a Debian-specific
change. This means there should be a way to have a Debian-specific
sshd variable be proposed to disable the EXTRAVERSION portion of the
protocol greeting:
SSH-2.0-OpenSSH_5.1p1
instead of
SSH-2.0-OpenSSH_5.1p1 Debian-8
This patch introduces ReportExtraversion (which defaults to "yes"). When
set to "no", "Debian-8" is left off the protocol greeting.
Thanks!
-Kees
[1]://bugzilla.mindrot.org/show_bug.cgi?id=764
--
Kees Cook @debian.org
diff -uNrp openssh-5.1p1~/debian/changelog openssh-5.1p1/debian/changelog
--- openssh-5.1p1~/debian/changelog 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/debian/changelog 2009-12-22 01:11:57.986834956 -0800
@@ -1,3 +1,12 @@
+openssh (1:5.1p1-9) unstable; urgency=low
+
+ * servconf.[ch], sshd.c, version.h, sshd_config.5: implement
+ ReportExtraversion server configuration flag that can be set to
+ "no" to allow sshd to run without the Debian-specific extra version
+ in the initial protocol handshake.
+
+ -- Kees Cook <kees@debian.org> Tue, 22 Dec 2009 01:11:04 -0800
+
openssh (1:5.1p1-8) unstable; urgency=low
* Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi;
diff -uNrp openssh-5.1p1~/servconf.c openssh-5.1p1/servconf.c
--- openssh-5.1p1~/servconf.c 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/servconf.c 2009-12-22 01:10:50.496829718 -0800
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+ options->report_extraversion = -1;
}
void
@@ -267,6 +268,8 @@ fill_default_server_options(ServerOption
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->report_extraversion == -1)
+ options->report_extraversion = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -313,6 +316,7 @@ typedef enum {
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sReportExtraversion,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -435,6 +439,7 @@ static struct {
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+ { "reportextraversion", sReportExtraversion, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -1313,6 +1318,10 @@ process_server_config_line(ServerOptions
*charptr = xstrdup(arg);
break;
+ case sReportExtraversion:
+ intptr = &options->report_extraversion;
+ goto parse_int;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
diff -uNrp openssh-5.1p1~/servconf.h openssh-5.1p1/servconf.h
--- openssh-5.1p1~/servconf.h 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/servconf.h 2009-12-22 01:10:50.496829718 -0800
@@ -151,6 +151,8 @@ typedef struct {
int num_permitted_opens;
+ int report_extraversion;
+
char *chroot_directory;
} ServerOptions;
diff -uNrp openssh-5.1p1~/sshd.c openssh-5.1p1/sshd.c
--- openssh-5.1p1~/sshd.c 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/sshd.c 2009-12-22 01:10:50.496829718 -0800
@@ -425,7 +425,8 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
}
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_RELEASE, newline);
+ options.report_extraversion ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+ newline);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
diff -uNrp openssh-5.1p1~/sshd_config.5 openssh-5.1p1/sshd_config.5
--- openssh-5.1p1~/sshd_config.5 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/sshd_config.5 2009-12-22 01:10:50.496829718 -0800
@@ -862,6 +862,11 @@ Specifies whether public key authenticat
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm ReportExtraversion
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -uNrp openssh-5.1p1~/version.h openssh-5.1p1/version.h
--- openssh-5.1p1~/version.h 2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/version.h 2009-12-22 01:10:50.496829718 -0800
@@ -3,8 +3,9 @@
#define SSH_VERSION "OpenSSH_5.1"
#define SSH_PORTABLE "p1"
+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
#ifdef SSH_EXTRAVERSION
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION
+#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
#else
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE SSH_RELEASE_MINIMUM
#endif
Reply to: