Package: openssh Version: 1:5.1p1-8 Severity: wishlist Tags: patch Hi!
It is sometimes desirable to suppress the exact package version of openssh that is reported during the initial protocol handshake. While attempts we made to more completely deal with this upstream were rejected[1], the "EXTRAVERSION" variable appears to be a Debian-specific change. This means there should be a way to have a Debian-specific sshd variable be proposed to disable the EXTRAVERSION portion of the protocol greeting: SSH-2.0-OpenSSH_5.1p1 instead of SSH-2.0-OpenSSH_5.1p1 Debian-8 This patch introduces ReportExtraversion (which defaults to "yes"). When set to "no", "Debian-8" is left off the protocol greeting. Thanks! -Kees [1]://bugzilla.mindrot.org/show_bug.cgi?id=764 -- Kees Cook @debian.org
diff -uNrp openssh-5.1p1~/debian/changelog openssh-5.1p1/debian/changelog --- openssh-5.1p1~/debian/changelog 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/debian/changelog 2009-12-22 01:11:57.986834956 -0800 @@ -1,3 +1,12 @@ +openssh (1:5.1p1-9) unstable; urgency=low + + * servconf.[ch], sshd.c, version.h, sshd_config.5: implement + ReportExtraversion server configuration flag that can be set to + "no" to allow sshd to run without the Debian-specific extra version + in the initial protocol handshake. + + -- Kees Cook <[email protected]> Tue, 22 Dec 2009 01:11:04 -0800 + openssh (1:5.1p1-8) unstable; urgency=low * Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi; diff -uNrp openssh-5.1p1~/servconf.c openssh-5.1p1/servconf.c --- openssh-5.1p1~/servconf.c 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/servconf.c 2009-12-22 01:10:50.496829718 -0800 @@ -130,6 +130,7 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; + options->report_extraversion = -1; } void @@ -267,6 +268,8 @@ fill_default_server_options(ServerOption options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; + if (options->report_extraversion == -1) + options->report_extraversion = 1; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -313,6 +316,7 @@ typedef enum { sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, + sReportExtraversion, sDeprecated, sUnsupported } ServerOpCodes; @@ -435,6 +439,7 @@ static struct { { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, + { "reportextraversion", sReportExtraversion, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1313,6 +1318,10 @@ process_server_config_line(ServerOptions *charptr = xstrdup(arg); break; + case sReportExtraversion: + intptr = &options->report_extraversion; + goto parse_int; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff -uNrp openssh-5.1p1~/servconf.h openssh-5.1p1/servconf.h --- openssh-5.1p1~/servconf.h 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/servconf.h 2009-12-22 01:10:50.496829718 -0800 @@ -151,6 +151,8 @@ typedef struct { int num_permitted_opens; + int report_extraversion; + char *chroot_directory; } ServerOptions; diff -uNrp openssh-5.1p1~/sshd.c openssh-5.1p1/sshd.c --- openssh-5.1p1~/sshd.c 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/sshd.c 2009-12-22 01:10:50.496829718 -0800 @@ -425,7 +425,8 @@ sshd_exchange_identification(int sock_in minor = PROTOCOL_MINOR_1; } snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, - SSH_RELEASE, newline); + options.report_extraversion ? SSH_RELEASE : SSH_RELEASE_MINIMUM, + newline); server_version_string = xstrdup(buf); /* Send our protocol version identification. */ diff -uNrp openssh-5.1p1~/sshd_config.5 openssh-5.1p1/sshd_config.5 --- openssh-5.1p1~/sshd_config.5 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/sshd_config.5 2009-12-22 01:10:50.496829718 -0800 @@ -862,6 +862,11 @@ Specifies whether public key authenticat The default is .Dq yes . Note that this option applies to protocol version 2 only. +.It Cm ReportExtraversion +Specifies whether the distribution-specified extra version suffix is +included during initial protocol handshake. +The default is +.Dq yes . .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. diff -uNrp openssh-5.1p1~/version.h openssh-5.1p1/version.h --- openssh-5.1p1~/version.h 2009-12-22 01:16:09.000000000 -0800 +++ openssh-5.1p1/version.h 2009-12-22 01:10:50.496829718 -0800 @@ -3,8 +3,9 @@ #define SSH_VERSION "OpenSSH_5.1" #define SSH_PORTABLE "p1" +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE #ifdef SSH_EXTRAVERSION -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION +#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION #else -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_RELEASE SSH_RELEASE_MINIMUM #endif
