24525860 upgrade OpenSSH to 7.3p1
24320031 problem in UTILITY/OPENSSH
24461706 problem in UTILITY/OPENSSH
24752716 Eliminate hard-to-maintain manpages section-number patch in openssh 11.3SRU
15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes
24597931 PAM_BUGFIX by-passes fake password for timing attack avoidance
23223069 problem in UTILITY/OPENSSH
24923674 problem in UTILITY/OPENSSH
23577308 OpenSSH Makefile: -DWITHOUT_ED25519 left behind
23140756 openssh passes bad option to configure (--with-tcp-wrappers)
24301902 Log connections dropped when exceeding MaxStartups
#
# This patch is to add a new DisableBanner option to the ssh client command,
# which allows the ssh command to disable the display of the banner message.
# We have contributed back this feature to the OpenSSH upstream community. For
# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2242.
# In the future, if this feature is accepted by the upsteam in a later release,
# we will remove this patch when we upgrade to that release.
#
--- orig/readconf.c Mon Aug 15 15:45:25 2016
+++ new/readconf.c Mon Aug 15 15:53:23 2016
@@ -163,6 +163,9 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
+#ifdef DISABLE_BANNER
+ oDisableBanner,
+#endif
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
@@ -271,6 +274,9 @@
{ "controlmaster", oControlMaster },
{ "controlpersist", oControlPersist },
{ "hashknownhosts", oHashKnownHosts },
+#ifdef DISABLE_BANNER
+ { "disablebanner", oDisableBanner },
+#endif
{ "include", oInclude },
{ "tunnel", oTunnel },
{ "tunneldevice", oTunnelDevice },
@@ -794,6 +800,18 @@
{ NULL, -1 }
};
+
+#ifdef DISABLE_BANNER
+static const struct multistate multistate_disablebanner[] = {
+ { "true", SSH_DISABLEBANNER_YES },
+ { "false", SSH_DISABLEBANNER_NO },
+ { "yes", SSH_DISABLEBANNER_YES },
+ { "no", SSH_DISABLEBANNER_NO },
+ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
+ { NULL, -1 }
+};
+#endif
+
/*
* Processes a single option line as used in the configuration files. This
* only sets those values that have not already been set.
@@ -1657,6 +1675,13 @@
charptr = &options->identity_agent;
goto parse_string;
+#ifdef DISABLE_BANNER
+ case oDisableBanner:
+ intptr = &options->disable_banner;
+ multistate_ptr = multistate_disablebanner;
+ goto parse_multistate;
+#endif
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -1847,6 +1872,9 @@
options->ip_qos_bulk = -1;
options->request_tty = -1;
options->proxy_use_fdpass = -1;
+#ifdef DISABLE_BANNER
+ options->disable_banner = -1;
+#endif
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
options->num_permitted_cnames = 0;
@@ -2041,6 +2069,10 @@
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
+#ifdef DISABLE_BANNER
+ if (options->disable_banner == -1)
+ options->disable_banner = 0;
+#endif
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->update_hostkeys == -1)
--- orig/readconf.h Mon Aug 15 15:45:28 2016
+++ new/readconf.h Mon Aug 15 15:55:00 2016
@@ -169,6 +169,9 @@
char *jump_extra;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
+#ifdef DISABLE_BANNER
+ int disable_banner; /* Disable display of banner */
+#endif
} Options;
#define SSH_CANONICALISE_NO 0
@@ -195,6 +198,12 @@
#define SSH_UPDATE_HOSTKEYS_YES 1
#define SSH_UPDATE_HOSTKEYS_ASK 2
+#ifdef DISABLE_BANNER
+#define SSH_DISABLEBANNER_NO 0
+#define SSH_DISABLEBANNER_YES 1
+#define SSH_DISABLEBANNER_INEXECMODE 2
+#endif
+
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
--- orig/ssh_config.5 Mon Aug 15 15:45:37 2016
+++ new/ssh_config.5 Mon Aug 15 15:57:36 2016
@@ -643,6 +643,14 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
+.It Cm DisableBanner
+If set to yes, disables the display of the banner message.
+If set to in-exec-mode, disables the display of banner message when in remote
+command mode only.
+.Pp
+The default value is no, which means that the banner is displayed unless the
+log level is QUIET, FATAL, or ERROR. See also the Banner option in
++.Xr sshd_config 5 . This option applies to protocol version 2 only.
.It Cm DynamicForward
Specifies that a TCP port on the local machine be forwarded
over the secure channel, and the application
--- orig/sshconnect2.c Mon Aug 15 15:45:44 2016
+++ new/sshconnect2.c Thu Aug 18 18:28:20 2016
@@ -82,6 +82,10 @@
extern char *server_version_string;
extern Options options;
+#ifdef DISABLE_BANNER
+extern Buffer command;
+#endif
+
/*
* SSH2 key exchange
*/
@@ -502,7 +506,20 @@
debug3("%s", __func__);
msg = packet_get_string(&len);
lang = packet_get_string(NULL);
+
+#ifdef DISABLE_BANNER
+ /*
+ * Banner is a warning message according to RFC 4252. So, never print
+ * a banner in error log level or lower. If the log level is higher,
+ * use DisableBanner option to decide whether to display it or not.
+ */
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
+ (options.disable_banner == SSH_DISABLEBANNER_NO ||
+ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
+ buffer_len(&command) == 0)))
+#else
if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO)
+#endif
fmprintf(stderr, "%s", msg);
free(msg);
free(lang);