# HG changeset patch # User Huie-Ying Lee # Date 1401471274 25200 # Node ID 72ec8810274bae0f0d325b38d3bcba5fedb4da25 # Parent d039290bd0313ef55cfea99dc9b79e4036d9b8eb 18828925 migrate the disablebanner feature from SunSSH to OpenSSH diff -r d039290bd031 -r 72ec8810274b components/openssh/Makefile --- a/components/openssh/Makefile Fri May 30 02:47:10 2014 -0700 +++ b/components/openssh/Makefile Fri May 30 10:34:34 2014 -0700 @@ -45,7 +45,7 @@ # Enable ASLR for this component ASLR_MODE = $(ASLR_ENABLE) -CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172 -DDTRACE_SFTP" +CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172 -DDTRACE_SFTP -DDISABLE_BANNER" # We need to disable lazyloading of dynamic dependent libraries. During the # pre-authentication phase, sshd will chroot to /var/empty which doesn't diff -r d039290bd031 -r 72ec8810274b components/openssh/patches/008-deprecate_sunssh_opt.patch --- a/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri May 30 02:47:10 2014 -0700 +++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri May 30 10:34:34 2014 -0700 @@ -6,13 +6,12 @@ # changed from deprecated to supported. Since this is for Solaris only, we will # not contribute back this change to the upstream community. # ---- orig/readconf.c Wed Feb 5 17:16:20 2014 -+++ new/readconf.c Fri Mar 14 09:52:42 2014 -@@ -267,7 +267,25 @@ - { "canonicalizemaxdots", oCanonicalizeMaxDots }, +--- orig/readconf.c Fri May 23 09:56:00 2014 ++++ new/readconf.c Fri May 23 09:59:57 2014 +@@ -268,6 +268,25 @@ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, { "ignoreunknown", oIgnoreUnknown }, -- + +#ifdef DEPRECATE_SUNSSH_OPT + /* + * On Solaris, to make the transition from SunSSH to OpenSSH as smooth @@ -24,7 +23,6 @@ + * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH + * later, then it will be changed from deprecated to supported. + */ -+ { "disablebanner", oDeprecated }, + { "gssapikeyexchange", oDeprecated }, + { "kmfpolicydatabase", oDeprecated }, + { "kmfpolicyname", oDeprecated }, @@ -32,6 +30,7 @@ + { "usefips140", oDeprecated }, + { "useopensslengine", oDeprecated }, +#endif ++ { NULL, oBadOption } }; diff -r d039290bd031 -r 72ec8810274b components/openssh/patches/014-disable_banner.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/014-disable_banner.patch Fri May 30 10:34:34 2014 -0700 @@ -0,0 +1,163 @@ +# +# This patch is to add a new DisableBanner option to the ssh client command, +# which allows the ssh command to disable the display of the banner message. +# We have contributed back this feature to the OpenSSH upstream community. For +# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2242. +# In the future, if this feature is accepted by the upsteam in a later release, +# we will remove this patch when we upgrade to that release. +# +--- orig/readconf.c Wed May 21 15:04:21 2014 ++++ new/readconf.c Wed May 28 11:56:04 2014 +@@ -148,7 +148,11 @@ + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, + oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, ++#ifdef DISABLE_BANNER ++ oDisableBanner, oIgnoredUnknownOption, oDeprecated, oUnsupported ++#else + oIgnoredUnknownOption, oDeprecated, oUnsupported ++#endif + } OpCodes; + + /* Textual representations of the tokens. */ +@@ -266,6 +270,9 @@ + { "canonicalizehostname", oCanonicalizeHostname }, + { "canonicalizemaxdots", oCanonicalizeMaxDots }, + { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, ++#ifdef DISABLE_BANNER ++ { "disablebanner", oDisableBanner }, ++#endif + { "ignoreunknown", oIgnoreUnknown }, + + { NULL, oBadOption } +@@ -682,6 +689,17 @@ + { NULL, -1 } + }; + ++#ifdef DISABLE_BANNER ++static const struct multistate multistate_disablebanner[] = { ++ { "true", SSH_DISABLEBANNER_YES }, ++ { "false", SSH_DISABLEBANNER_NO }, ++ { "yes", SSH_DISABLEBANNER_YES }, ++ { "no", SSH_DISABLEBANNER_NO }, ++ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE }, ++ { NULL, -1 } ++}; ++#endif ++ + /* + * Processes a single option line as used in the configuration files. This + * only sets those values that have not already been set. +@@ -1392,6 +1410,13 @@ + intptr = &options->canonicalize_fallback_local; + goto parse_flag; + ++#ifdef DISABLE_BANNER ++ case oDisableBanner: ++ intptr = &options->disable_banner; ++ multistate_ptr = multistate_disablebanner; ++ goto parse_multistate; ++#endif ++ + case oDeprecated: + debug("%s line %d: Deprecated option \"%s\"", + filename, linenum, keyword); +@@ -1554,6 +1579,9 @@ + options->ip_qos_bulk = -1; + options->request_tty = -1; + options->proxy_use_fdpass = -1; ++#ifdef DISABLE_BANNER ++ options->disable_banner = -1; ++#endif + options->ignored_unknown = NULL; + options->num_canonical_domains = 0; + options->num_permitted_cnames = 0; +@@ -1721,6 +1749,12 @@ + options->canonicalize_fallback_local = 1; + if (options->canonicalize_hostname == -1) + options->canonicalize_hostname = SSH_CANONICALISE_NO; ++ ++#ifdef DISABLE_BANNER ++ if (options->disable_banner == -1) ++ options->disable_banner = 0; ++#endif ++ + #define CLEAR_ON_NONE(v) \ + do { \ + if (v != NULL && strcasecmp(v, "none") == 0) { \ +--- orig/readconf.h Wed May 21 15:04:35 2014 ++++ new/readconf.h Wed May 28 11:08:53 2014 +@@ -155,6 +155,9 @@ + struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; + + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ ++#ifdef DISABLE_BANNER ++ int disable_banner; /* Disable display of banner */ ++#endif + } Options; + + #define SSH_CANONICALISE_NO 0 +@@ -175,6 +178,12 @@ + #define SSHCONF_CHECKPERM 1 /* check permissions on config file */ + #define SSHCONF_USERCONF 2 /* user provided config file not system */ + ++#ifdef DISABLE_BANNER ++#define SSH_DISABLEBANNER_NO 0 ++#define SSH_DISABLEBANNER_YES 1 ++#define SSH_DISABLEBANNER_INEXECMODE 2 ++#endif ++ + void initialize_options(Options *); + void fill_default_options(Options *); + int process_config_line(Options *, struct passwd *, const char *, char *, +--- orig/ssh_config.5 Thu May 22 15:05:04 2014 ++++ new/ssh_config.5 Fri May 23 09:36:52 2014 +@@ -507,6 +507,14 @@ + then the backgrounded master connection will automatically terminate + after it has remained idle (with no client connections) for the + specified time. ++.It Cm DisableBanner ++If set to yes, disables the display of the banner message. ++If set to in-exec-mode, disables the display of banner message when in remote ++command mode only. ++.Pp ++The default value is no, which means that the banner is displayed unless the ++log level is QUIET, FATAL, or ERROR. See also the Banner option in ++.Xr sshd_config 4 . This option applies to protocol version 2 only. + .It Cm DynamicForward + Specifies that a TCP port on the local machine be forwarded + over the secure channel, and the application +--- orig/sshconnect2.c Wed May 21 15:05:27 2014 ++++ new/sshconnect2.c Thu May 29 17:33:56 2014 +@@ -82,6 +82,10 @@ + extern char *server_version_string; + extern Options options; + ++#ifdef DISABLE_BANNER ++extern Buffer command; ++#endif ++ + /* + * SSH2 key exchange + */ +@@ -480,7 +484,20 @@ + debug3("input_userauth_banner"); + raw = packet_get_string(&len); + lang = packet_get_string(NULL); ++ ++#ifdef DISABLE_BANNER ++ /* ++ * Banner is a warning message according to RFC 4252. So, never print ++ * a banner in error log level or lower. If the log level is higher, ++ * use DisableBanner option to decide whether to display it or not. ++ */ ++ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO && ++ (options.disable_banner == SSH_DISABLEBANNER_NO || ++ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE && ++ buffer_len(&command) == 0))) { ++#else + if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) { ++#endif + if (len > 65536) + len = 65536; + msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */