Bug#774410: allow for the package-specific version banner to be suppressed for ssh client
Package: openssh-client
Version: 1:6.7p1-3
Severity: wishlist
Tags: patch
Hi,
it should be possible to suppress the exact package version of
openssh that is reported during the initial protocol handshake
also for ssh client.
Similar bug was fixed for SSH server
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562048
This patch adds DebianBanner option also to ssh_config. The behavior is
the same as DebianBanner in sshd_config.
Thanks,
Fedor
diff -Naur old/readconf.c new/readconf.c
--- old/readconf.c 2014-12-29 14:16:06.000000000 +0000
+++ new/readconf.c 2014-12-29 16:38:04.358747439 +0000
@@ -156,6 +156,7 @@
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink,
oProtocolKeepAlives, oSetupTimeOut,
+ oDebianBanner,
oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -283,6 +284,7 @@
{ "ignoreunknown", oIgnoreUnknown },
{ "protocolkeepalives", oProtocolKeepAlives },
{ "setuptimeout", oSetupTimeOut },
+ { "debianbanner", oDebianBanner },
{ NULL, oBadOption }
};
@@ -1472,6 +1474,10 @@
intptr = &options->fwd_opts.streamlocal_bind_unlink;
goto parse_flag;
+ case oDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -1652,6 +1658,7 @@
options->canonicalize_max_dots = -1;
options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1;
+ options->debian_banner = -1;
}
/*
@@ -1840,6 +1847,8 @@
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
diff -Naur old/readconf.h new/readconf.h
--- old/readconf.h 2014-12-29 14:26:42.943868206 +0000
+++ new/readconf.h 2014-12-29 14:24:55.036930555 +0000
@@ -150,6 +150,8 @@
struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
+
+ int debian_banner;
} Options;
#define SSH_CANONICALISE_NO 0
diff -Naur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5 2014-12-29 14:16:06.000000000 +0000
+++ new/ssh_config.5 2014-12-29 15:17:42.003822518 +0000
@@ -552,6 +552,11 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
.It Cm DynamicForward
Specifies that a TCP port on the local machine be forwarded
over the secure channel, and the application
diff -Naur old/sshconnect.c new/sshconnect.c
--- old/sshconnect.c 2014-12-29 14:16:06.000000000 +0000
+++ new/sshconnect.c 2014-12-29 15:12:32.712529301 +0000
@@ -521,10 +521,12 @@
/* Send our own protocol version identification. */
if (compat20) {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
+ PROTOCOL_MAJOR_1, minor1,
+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM);
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
Reply to: