Bug 193127 - [PATCH] security/openssh-portable should allow a plain protocol version string
Summary: [PATCH] security/openssh-portable should allow a plain protocol version string
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
URL:
Keywords: patch-ready
Depends on:
Blocks:
 
Reported: 2014-08-29 18:16 UTC by Adam McDougall
Modified: 2015-03-29 04:18 UTC (History)
2 users (show)

See Also:


Attachments
Patch to allow bare SSH protocol version string (1.36 KB, patch)
2014-08-29 18:16 UTC, Adam McDougall
no flags Details | Diff
Patch to allow bare SSH protocol version string (updated) (1.80 KB, patch)
2014-08-29 20:20 UTC, Adam McDougall
no flags Details | Diff
poudriere build log (259.36 KB, text/x-log)
2014-08-29 20:27 UTC, Adam McDougall
no flags Details
Patch to allow bare SSH protocol version string (update 2) (1.79 KB, patch)
2014-08-30 22:32 UTC, Adam McDougall
no flags Details | Diff
patch for Makefile (999 bytes, patch)
2014-11-12 20:39 UTC, Bernard Spil
no flags Details | Diff
Patch for the servconf.c patch (2.17 KB, patch)
2014-11-12 20:39 UTC, Bernard Spil
no flags Details | Diff
Build log for patched version (238.77 KB, text/plain)
2014-11-12 20:42 UTC, Bernard Spil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Adam McDougall 2014-08-29 18:16:19 UTC
Created attachment 146494 [details]
Patch to allow bare SSH protocol version string

Some users do not wish to disclose additional patches or OS information in their SSH server protocol version string:

SSH-2.0-OpenSSH_6.6.1
vs
SSH-2.0-OpenSSH_6.6.1p1-hpn14v2 FreeBSD-openssh-portable-6.6.p1_3,1

The last string can be controlled by VersionAddendum in sshd_config, but _hpn13v11 cannot, it is hard compiled.

Attached patch retains status quo but adds an option SSH_VERSIONMOD that can be disabled to allow the user to disable compiled modifications to SSH_VERSION.
Comment 1 Carlo Strub freebsd_committer 2014-08-29 19:49:21 UTC
Please provide us with redports.org or Poudriere logs that confirm your patch is working fine.
Comment 2 Adam McDougall 2014-08-29 20:20:23 UTC
Created attachment 146504 [details]
Patch to allow bare SSH protocol version string (updated)

Updated patch for option description and portrevision bump
Comment 3 Adam McDougall 2014-08-29 20:27:14 UTC
Created attachment 146507 [details]
poudriere build log

Poudriere build log.  Most contents of make.conf redacted because I don't want my system details public, hope that is okay.  I can provide privately if needed, but the package built, I installed and tested it on a client system.  Thanks.
Comment 4 Adam McDougall 2014-08-30 22:32:44 UTC
Created attachment 146576 [details]
Patch to allow bare SSH protocol version string (update 2)

I realized the option description was getting truncated in the 'make config' dialog.  Changed wording to make it fit.  Tested.
Comment 5 Tilman Keskinoz freebsd_committer 2014-08-31 09:28:28 UTC
over to maintainer
Comment 6 Bryan Drewery freebsd_committer 2014-10-13 15:00:10 UTC
I'd rather have VersionAddendum fixed so this is a runtime change.
Comment 7 Bernard Spil freebsd_committer 2014-11-12 20:39:17 UTC
Created attachment 149338 [details]
patch for Makefile

Removes the existing extra VersionAddendum
VersionAddendum now handled as in base by setting a default in version.h and applying it in servconf.h
Comment 8 Bernard Spil freebsd_committer 2014-11-12 20:39:46 UTC
Created attachment 149339 [details]
Patch for the servconf.c patch
Comment 9 Bernard Spil freebsd_committer 2014-11-12 20:42:16 UTC
Created attachment 149340 [details]
Build log for patched version

Built on a fresh FreeBSD 10.1-RELEASE

$ /usr/local/bin/ssh -v localhost
OpenSSH_6.6.1, LibreSSL 2.1
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/bernard/.ssh/id_rsa type 1
debug1: identity file /home/bernard/.ssh/id_rsa-cert type -1
debug1: identity file /home/bernard/.ssh/id_dsa type -1
debug1: identity file /home/bernard/.ssh/id_dsa-cert type -1
debug1: identity file /home/bernard/.ssh/id_ecdsa type -1
debug1: identity file /home/bernard/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/bernard/.ssh/id_ed25519 type 4
debug1: identity file /home/bernard/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1-hpn14v2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1-hpn14v2  FreeBSD-openssh-portable-6.6.p1_4,1
debug1: match: OpenSSH_6.6.1p1-hpn14v2  FreeBSD-openssh-portable-6.6.p1_4,1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: ssh_ecdsa_verify: signature correct
debug1: Server host key: ECDSA-CERT 41:c1:b8:f2:6c:03:da:eb:d3:b3:f5:3a:23:87:12:05
debug1: No matching CA found. Retry with plain key
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/bernard/.ssh/known_hosts:8
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bernard/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/bernard/.ssh/id_rsa':
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Single to Multithread CTR cipher swap - client request
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([127.0.0.1]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: need rekeying
debug1: SSH2_MSG_KEXINIT sent
debug1: rekeying in progress
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 1
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: ssh_ecdsa_verify: signature correct
debug1: Server host key: ECDSA-CERT 41:c1:b8:f2:6c:03:da:eb:d3:b3:f5:3a:23:87:12:05
debug1: No matching CA found. Retry with plain key
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/bernard/.ssh/known_hosts:8
debug1: ssh_ecdsa_verify: signature correct
debug1: set_newkeys: rekeying
debug1: spawned a thread
debug1: spawned a thread
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: set_newkeys: rekeying
debug1: spawned a thread
debug1: spawned a thread
debug1: SSH2_MSG_NEWKEYS received
Last login: Wed Nov 12 21:41:29 2014 from localhost
FreeBSD 10.1-RELEASE (BEASTIE101) #0 r264324M: Tue Nov 11 13:46:58 CET 2014
Comment 10 Bryan Drewery freebsd_committer 2015-03-22 20:53:03 UTC
(In reply to Bernard Spil from comment #8)

This patch is likely what I want. As I mentioned to Bernard on IRC the other day I am planning to get this issue resolved before updating to 6.8 very soon.
Comment 11 commit-hook freebsd_committer 2015-03-23 02:45:17 UTC
A commit references this bug:

Author: bdrewery
Date: Mon Mar 23 02:45:13 UTC 2015
New revision: 280360
URL: https://svnweb.freebsd.org/changeset/base/280360

Log:
  Document "none" for VersionAddendum.

  PR:		193127
  MFC after:	2 weeks

Changes:
  head/crypto/openssh/ssh_config.5
  head/crypto/openssh/sshd_config.5
Comment 12 Bryan Drewery freebsd_committer 2015-03-23 03:18:21 UTC
For reference, the attached patches have several issues. The Makefile change has a NOP sed. The servconf.c patch fails to patch with X509 at least. There is no manpage or sshd_config update.

I am adding all of this. There is a good reason this was not rushed in.
Comment 13 commit-hook freebsd_committer 2015-03-23 04:23:25 UTC
A commit references this bug:

Author: bdrewery
Date: Mon Mar 23 04:23:11 UTC 2015
New revision: 381981
URL: https://svnweb.freebsd.org/changeset/ports/381981

Log:
  Stop forcing the port version string into the server banner.

  The port now uses VersionAddendum in the sshd_config to allow overriding
  this value. Using "none" allows disabling the default of the port
  version string. The default is kept to show the port version string to
  remain close to the base version.

  Support for the client VersionAddendum may be added soon as well to better
  match base and not give surprises when switching from base to the port.

  PR:		193127
  Requested by:	many, including myself when this was broken years ago.

Changes:
  head/UPDATING
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/patch-servconf.c
  head/security/openssh-portable/files/patch-sshd_config.5
Comment 14 Bryan Drewery freebsd_committer 2015-03-23 04:23:49 UTC
It's in. You can now override it with your own value or "none" (no quotes) in your sshd_config.
Comment 15 commit-hook freebsd_committer 2015-03-29 04:18:51 UTC
A commit references this bug:

Author: bdrewery
Date: Sun Mar 29 04:17:55 UTC 2015
New revision: 382566
URL: https://svnweb.freebsd.org/changeset/ports/382566

Log:
  Make the VersionAddendum fix use the proper default.

  Once I ran into the X509 issue previously I failed to retest that the patch
  worked.

  PR:		193127

Changes:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/files/extra-patch-version-addendum