--- a/components/openssh/Makefile Fri May 30 02:47:10 2014 -0700
+++ b/components/openssh/Makefile Fri May 30 10:34:34 2014 -0700
@@ -45,7 +45,7 @@
# Enable ASLR for this component
ASLR_MODE = $(ASLR_ENABLE)
-CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172 -DDTRACE_SFTP"
+CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172 -DDTRACE_SFTP -DDISABLE_BANNER"
# We need to disable lazyloading of dynamic dependent libraries. During the
# pre-authentication phase, sshd will chroot to /var/empty which doesn't
--- a/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri May 30 02:47:10 2014 -0700
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri May 30 10:34:34 2014 -0700
@@ -6,13 +6,12 @@
# changed from deprecated to supported. Since this is for Solaris only, we will
# not contribute back this change to the upstream community.
#
---- orig/readconf.c Wed Feb 5 17:16:20 2014
-+++ new/readconf.c Fri Mar 14 09:52:42 2014
[email protected]@ -267,7 +267,25 @@
- { "canonicalizemaxdots", oCanonicalizeMaxDots },
+--- orig/readconf.c Fri May 23 09:56:00 2014
++++ new/readconf.c Fri May 23 09:59:57 2014
[email protected]@ -268,6 +268,25 @@
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
{ "ignoreunknown", oIgnoreUnknown },
--
+
+#ifdef DEPRECATE_SUNSSH_OPT
+ /*
+ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
@@ -24,7 +23,6 @@
+ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH
+ * later, then it will be changed from deprecated to supported.
+ */
-+ { "disablebanner", oDeprecated },
+ { "gssapikeyexchange", oDeprecated },
+ { "kmfpolicydatabase", oDeprecated },
+ { "kmfpolicyname", oDeprecated },
@@ -32,6 +30,7 @@
+ { "usefips140", oDeprecated },
+ { "useopensslengine", oDeprecated },
+#endif
++
{ NULL, oBadOption }
};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/014-disable_banner.patch Fri May 30 10:34:34 2014 -0700
@@ -0,0 +1,163 @@
+#
+# This patch is to add a new DisableBanner option to the ssh client command,
+# which allows the ssh command to disable the display of the banner message.
+# We have contributed back this feature to the OpenSSH upstream community. For
+# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2242.
+# In the future, if this feature is accepted by the upsteam in a later release,
+# we will remove this patch when we upgrade to that release.
+#
+--- orig/readconf.c Wed May 21 15:04:21 2014
++++ new/readconf.c Wed May 28 11:56:04 2014
[email protected]@ -148,7 +148,11 @@
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
++#ifdef DISABLE_BANNER
++ oDisableBanner, oIgnoredUnknownOption, oDeprecated, oUnsupported
++#else
+ oIgnoredUnknownOption, oDeprecated, oUnsupported
++#endif
+ } OpCodes;
+
+ /* Textual representations of the tokens. */
[email protected]@ -266,6 +270,9 @@
+ { "canonicalizehostname", oCanonicalizeHostname },
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
++#ifdef DISABLE_BANNER
++ { "disablebanner", oDisableBanner },
++#endif
+ { "ignoreunknown", oIgnoreUnknown },
+
+ { NULL, oBadOption }
[email protected]@ -682,6 +689,17 @@
+ { NULL, -1 }
+ };
+
++#ifdef DISABLE_BANNER
++static const struct multistate multistate_disablebanner[] = {
++ { "true", SSH_DISABLEBANNER_YES },
++ { "false", SSH_DISABLEBANNER_NO },
++ { "yes", SSH_DISABLEBANNER_YES },
++ { "no", SSH_DISABLEBANNER_NO },
++ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
++ { NULL, -1 }
++};
++#endif
++
+ /*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
[email protected]@ -1392,6 +1410,13 @@
+ intptr = &options->canonicalize_fallback_local;
+ goto parse_flag;
+
++#ifdef DISABLE_BANNER
++ case oDisableBanner:
++ intptr = &options->disable_banner;
++ multistate_ptr = multistate_disablebanner;
++ goto parse_multistate;
++#endif
++
+ case oDeprecated:
+ debug("%s line %d: Deprecated option \"%s\"",
+ filename, linenum, keyword);
[email protected]@ -1554,6 +1579,9 @@
+ options->ip_qos_bulk = -1;
+ options->request_tty = -1;
+ options->proxy_use_fdpass = -1;
++#ifdef DISABLE_BANNER
++ options->disable_banner = -1;
++#endif
+ options->ignored_unknown = NULL;
+ options->num_canonical_domains = 0;
+ options->num_permitted_cnames = 0;
[email protected]@ -1721,6 +1749,12 @@
+ options->canonicalize_fallback_local = 1;
+ if (options->canonicalize_hostname == -1)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
++
++#ifdef DISABLE_BANNER
++ if (options->disable_banner == -1)
++ options->disable_banner = 0;
++#endif
++
+ #define CLEAR_ON_NONE(v) \
+ do { \
+ if (v != NULL && strcasecmp(v, "none") == 0) { \
+--- orig/readconf.h Wed May 21 15:04:35 2014
++++ new/readconf.h Wed May 28 11:08:53 2014
[email protected]@ -155,6 +155,9 @@
+ struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
+
+ char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
++#ifdef DISABLE_BANNER
++ int disable_banner; /* Disable display of banner */
++#endif
+ } Options;
+
+ #define SSH_CANONICALISE_NO 0
[email protected]@ -175,6 +178,12 @@
+ #define SSHCONF_CHECKPERM 1 /* check permissions on config file */
+ #define SSHCONF_USERCONF 2 /* user provided config file not system */
+
++#ifdef DISABLE_BANNER
++#define SSH_DISABLEBANNER_NO 0
++#define SSH_DISABLEBANNER_YES 1
++#define SSH_DISABLEBANNER_INEXECMODE 2
++#endif
++
+ void initialize_options(Options *);
+ void fill_default_options(Options *);
+ int process_config_line(Options *, struct passwd *, const char *, char *,
+--- orig/ssh_config.5 Thu May 22 15:05:04 2014
++++ new/ssh_config.5 Fri May 23 09:36:52 2014
[email protected]@ -507,6 +507,14 @@
+ then the backgrounded master connection will automatically terminate
+ after it has remained idle (with no client connections) for the
+ specified time.
++.It Cm DisableBanner
++If set to yes, disables the display of the banner message.
++If set to in-exec-mode, disables the display of banner message when in remote
++command mode only.
++.Pp
++The default value is no, which means that the banner is displayed unless the
++log level is QUIET, FATAL, or ERROR. See also the Banner option in
++.Xr sshd_config 4 . This option applies to protocol version 2 only.
+ .It Cm DynamicForward
+ Specifies that a TCP port on the local machine be forwarded
+ over the secure channel, and the application
+--- orig/sshconnect2.c Wed May 21 15:05:27 2014
++++ new/sshconnect2.c Thu May 29 17:33:56 2014
[email protected]@ -82,6 +82,10 @@
+ extern char *server_version_string;
+ extern Options options;
+
++#ifdef DISABLE_BANNER
++extern Buffer command;
++#endif
++
+ /*
+ * SSH2 key exchange
+ */
[email protected]@ -480,7 +484,20 @@
+ debug3("input_userauth_banner");
+ raw = packet_get_string(&len);
+ lang = packet_get_string(NULL);
++
++#ifdef DISABLE_BANNER
++ /*
++ * Banner is a warning message according to RFC 4252. So, never print
++ * a banner in error log level or lower. If the log level is higher,
++ * use DisableBanner option to decide whether to display it or not.
++ */
++ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
++ (options.disable_banner == SSH_DISABLEBANNER_NO ||
++ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
++ buffer_len(&command) == 0))) {
++#else
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
++#endif
+ if (len > 65536)
+ len = 65536;
+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */