Bug#562048: allow for the package-specific version banner to be suppressed

To: Debian Bugs <submit@bugs.debian.org>
Subject: Bug#562048: allow for the package-specific version banner to be suppressed
From: Kees Cook <kees@debian.org>
Date: Tue, 22 Dec 2009 01:18:49 -0800
Message-id: <[🔎] 20091222091849.GK5396@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 562048@bugs.debian.org

Package: openssh
Version: 1:5.1p1-8
Severity: wishlist
Tags: patch

Hi!

It is sometimes desirable to suppress the exact package version of
openssh that is reported during the initial protocol handshake.

While attempts we made to more completely deal with this upstream were
rejected[1], the "EXTRAVERSION" variable appears to be a Debian-specific
change.  This means there should be a way to have a Debian-specific
sshd variable be proposed to disable the EXTRAVERSION portion of the
protocol greeting:

SSH-2.0-OpenSSH_5.1p1

instead of

SSH-2.0-OpenSSH_5.1p1 Debian-8

This patch introduces ReportExtraversion (which defaults to "yes").  When
set to "no", "Debian-8" is left off the protocol greeting.

Thanks!

-Kees

[1]://bugzilla.mindrot.org/show_bug.cgi?id=764

-- 
Kees Cook                                            @debian.org

diff -uNrp openssh-5.1p1~/debian/changelog openssh-5.1p1/debian/changelog
--- openssh-5.1p1~/debian/changelog	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/debian/changelog	2009-12-22 01:11:57.986834956 -0800
@@ -1,3 +1,12 @@
+openssh (1:5.1p1-9) unstable; urgency=low
+
+  * servconf.[ch], sshd.c, version.h, sshd_config.5: implement
+    ReportExtraversion server configuration flag that can be set to
+    "no" to allow sshd to run without the Debian-specific extra version
+    in the initial protocol handshake.
+
+ -- Kees Cook <kees@debian.org>  Tue, 22 Dec 2009 01:11:04 -0800
+
 openssh (1:5.1p1-8) unstable; urgency=low
 
   * Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi;
diff -uNrp openssh-5.1p1~/servconf.c openssh-5.1p1/servconf.c
--- openssh-5.1p1~/servconf.c	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/servconf.c	2009-12-22 01:10:50.496829718 -0800
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions 
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
+	options->report_extraversion = -1;
 }
 
 void
@@ -267,6 +268,8 @@ fill_default_server_options(ServerOption
 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
+	if (options->report_extraversion == -1)
+		options->report_extraversion = 1;
 
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
@@ -313,6 +316,7 @@ typedef enum {
 	sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+	sReportExtraversion,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -435,6 +439,7 @@ static struct {
 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+	{ "reportextraversion", sReportExtraversion, SSHCFG_GLOBAL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -1313,6 +1318,10 @@ process_server_config_line(ServerOptions
 			*charptr = xstrdup(arg);
 		break;
 
+	case sReportExtraversion:
+		intptr = &options->report_extraversion;
+		goto parse_int;
+
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
diff -uNrp openssh-5.1p1~/servconf.h openssh-5.1p1/servconf.h
--- openssh-5.1p1~/servconf.h	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/servconf.h	2009-12-22 01:10:50.496829718 -0800
@@ -151,6 +151,8 @@ typedef struct {
 
 	int	num_permitted_opens;
 
+	int	report_extraversion;
+
 	char   *chroot_directory;
 }       ServerOptions;
 
diff -uNrp openssh-5.1p1~/sshd.c openssh-5.1p1/sshd.c
--- openssh-5.1p1~/sshd.c	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/sshd.c	2009-12-22 01:10:50.496829718 -0800
@@ -425,7 +425,8 @@ sshd_exchange_identification(int sock_in
 		minor = PROTOCOL_MINOR_1;
 	}
 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
-	    SSH_RELEASE, newline);
+	    options.report_extraversion ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
+	    newline);
 	server_version_string = xstrdup(buf);
 
 	/* Send our protocol version identification. */
diff -uNrp openssh-5.1p1~/sshd_config.5 openssh-5.1p1/sshd_config.5
--- openssh-5.1p1~/sshd_config.5	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/sshd_config.5	2009-12-22 01:10:50.496829718 -0800
@@ -862,6 +862,11 @@ Specifies whether public key authenticat
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm ReportExtraversion
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
diff -uNrp openssh-5.1p1~/version.h openssh-5.1p1/version.h
--- openssh-5.1p1~/version.h	2009-12-22 01:16:09.000000000 -0800
+++ openssh-5.1p1/version.h	2009-12-22 01:10:50.496829718 -0800
@@ -3,8 +3,9 @@
 #define SSH_VERSION	"OpenSSH_5.1"
 
 #define SSH_PORTABLE	"p1"
+#define SSH_RELEASE_MINIMUM	SSH_VERSION SSH_PORTABLE
 #ifdef SSH_EXTRAVERSION
-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION
+#define SSH_RELEASE	SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
 #else
-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE	SSH_RELEASE_MINIMUM
 #endif

Reply to:

Prev by Date: Bug#561881: marked as done (openssh-server: scp/sftp is not working when using key based (authorized_keys2) authentication)
Next by Date: Bug#562432: ssh-keygen -r refuses to read keys in "known hosts" format
Previous by thread: Bug#561887: more hardening, offload PIE build-time logic
Next by thread: Bug#562432: ssh-keygen -r refuses to read keys in "known hosts" format
Index(es):
- Date
- Thread