diff options
| author | Damien Miller <djm@mindrot.org> | 2012-04-22 03:24:43 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-04-22 03:24:43 +0200 |
| commit | 23528816dc10165b3bc009f2ab5fdf1653db418c (patch) | |
| tree | e5116ca83a35c9ede7bc5039ceffe352e0d05588 | |
| parent | - djm@cvs.openbsd.org 2012/04/11 13:34:17 (diff) | |
| download | openssh-23528816dc10165b3bc009f2ab5fdf1653db418c.tar.xz openssh-23528816dc10165b3bc009f2ab5fdf1653db418c.zip | |
- djm@cvs.openbsd.org 2012/04/12 02:42:32
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | servconf.c | 26 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | sshd.c | 10 | ||||
| -rw-r--r-- | sshd_config | 3 | ||||
| -rw-r--r-- | sshd_config.5 | 9 |
6 files changed, 45 insertions, 11 deletions
@@ -33,6 +33,10 @@ [ssh-keyscan.1 ssh-keyscan.c] now that sshd defaults to offering ECDSA keys, ssh-keyscan should also look for them by default; bz#1971 + - djm@cvs.openbsd.org 2012/04/12 02:42:32 + [servconf.c servconf.h sshd.c sshd_config sshd_config.5] + VersionAddendum option to allow server operators to append some arbitrary + text to the SSH-... banner; ok deraadt@ "don't care" markus@ 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/servconf.c b/servconf.c index 6de77164e..a8a40f97e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.225 2012/04/12 02:42:32 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -138,6 +138,7 @@ initialize_server_options(ServerOptions *options) options->authorized_principals_file = NULL; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; + options->version_addendum = NULL; } void @@ -277,7 +278,8 @@ fill_default_server_options(ServerOptions *options) options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; - + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(""); /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_ON; @@ -323,7 +325,7 @@ typedef enum { sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, - sKexAlgorithms, sIPQoS, + sKexAlgorithms, sIPQoS, sVersionAddendum, sDeprecated, sUnsupported } ServerOpCodes; @@ -448,6 +450,7 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1403,6 +1406,22 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sVersionAddendum: + if (cp == NULL) + fatal("%.200s line %d: Missing argument.", filename, + linenum); + len = strspn(cp, WHITESPACE); + if (*activep && options->version_addendum == NULL) { + if (strcasecmp(cp + len, "none") == 0) + options->version_addendum = xstrdup(""); + else if (strchr(cp + len, '\r') != NULL) + fatal("%.200s line %d: Invalid argument", + filename, linenum); + else + options->version_addendum = xstrdup(cp + len); + } + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1766,6 +1785,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); + dump_cfg_string(sVersionAddendum, o->version_addendum); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff --git a/servconf.h b/servconf.h index 89f38e20f..66ba387dd 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.100 2012/04/12 02:42:32 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -166,6 +166,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + + char *version_addendum; /* Appended to SSH banner */ } ServerOptions; /* @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.389 2012/04/11 13:26:40 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.390 2012/04/12 02:42:32 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -419,9 +419,11 @@ sshd_exchange_identification(int sock_in, int sock_out) major = PROTOCOL_MAJOR_1; minor = PROTOCOL_MINOR_1; } - snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, - SSH_VERSION, newline); - server_version_string = xstrdup(buf); + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", + major, minor, SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); /* Send our protocol version identification. */ if (roaming_atomicio(vwrite, sock_out, server_version_string, diff --git a/sshd_config b/sshd_config index 473e86654..99dbd8580 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ +# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #MaxStartups 10 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none diff --git a/sshd_config.5 b/sshd_config.5 index 4ef8b9e6d..1522355a8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $ -.Dd $Mdocdate: September 9 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $ +.Dd $Mdocdate: April 12 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1079,6 +1079,11 @@ is set to .Dq sandbox then the pre-authentication unprivileged process is subject to additional restrictions. +.It Cm VersionAddendum +Optionally specifies additional text to append to the SSH protocol banner +sent by the server upon connection. +The default is +.Dq none . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's |