- djm@cvs.openbsd.org 2012/04/12 02:42:32
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
diff --git a/ChangeLog b/ChangeLog
index 9c9b3fd..a8312a5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
[ssh-keyscan.1 ssh-keyscan.c]
now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
look for them by default; bz#1971
+ - djm@cvs.openbsd.org 2012/04/12 02:42:32
+ [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+ VersionAddendum option to allow server operators to append some arbitrary
+ text to the SSH-... banner; ok deraadt@ "don't care" markus@
20120420
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/servconf.c b/servconf.c
index 6de7716..a8a40f9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -138,6 +138,7 @@
options->authorized_principals_file = NULL;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
+ options->version_addendum = NULL;
}
void
@@ -277,7 +278,8 @@
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
-
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup("");
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_ON;
@@ -323,7 +325,7 @@
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- sKexAlgorithms, sIPQoS,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -448,6 +450,7 @@
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
+ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -1403,6 +1406,22 @@
}
break;
+ case sVersionAddendum:
+ if (cp == NULL)
+ fatal("%.200s line %d: Missing argument.", filename,
+ linenum);
+ len = strspn(cp, WHITESPACE);
+ if (*activep && options->version_addendum == NULL) {
+ if (strcasecmp(cp + len, "none") == 0)
+ options->version_addendum = xstrdup("");
+ else if (strchr(cp + len, '\r') != NULL)
+ fatal("%.200s line %d: Invalid argument",
+ filename, linenum);
+ else
+ options->version_addendum = xstrdup(cp + len);
+ }
+ return 0;
+
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1766,6 +1785,7 @@
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
+ dump_cfg_string(sVersionAddendum, o->version_addendum);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff --git a/servconf.h b/servconf.h
index 89f38e2..66ba387 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -166,6 +166,8 @@
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
+
+ char *version_addendum; /* Appended to SSH banner */
} ServerOptions;
/*
diff --git a/sshd.c b/sshd.c
index fddbc9d..b7066df 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -419,9 +419,11 @@
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1;
}
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_VERSION, newline);
- server_version_string = xstrdup(buf);
+
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ major, minor, SSH_VERSION,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
/* Send our protocol version identification. */
if (roaming_atomicio(vwrite, sock_out, server_version_string,
diff --git a/sshd_config b/sshd_config
index 473e866..99dbd85 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $
+# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -107,6 +107,7 @@
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
+#VersionAddendum none
# no default banner path
#Banner none
diff --git a/sshd_config.5 b/sshd_config.5
index 4ef8b9e..1522355 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $
-.Dd $Mdocdate: September 9 2011 $
+.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $
+.Dd $Mdocdate: April 12 2012 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -1079,6 +1079,11 @@
.Dq sandbox
then the pre-authentication unprivileged process is subject to additional
restrictions.
+.It Cm VersionAddendum
+Optionally specifies additional text to append to the SSH protocol banner
+sent by the server upon connection.
+The default is
+.Dq none .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's