Created attachment 146494 [details] Patch to allow bare SSH protocol version string Some users do not wish to disclose additional patches or OS information in their SSH server protocol version string: SSH-2.0-OpenSSH_6.6.1 vs SSH-2.0-OpenSSH_6.6.1p1-hpn14v2 FreeBSD-openssh-portable-6.6.p1_3,1 The last string can be controlled by VersionAddendum in sshd_config, but _hpn13v11 cannot, it is hard compiled. Attached patch retains status quo but adds an option SSH_VERSIONMOD that can be disabled to allow the user to disable compiled modifications to SSH_VERSION.
Please provide us with redports.org or Poudriere logs that confirm your patch is working fine.
Created attachment 146504 [details] Patch to allow bare SSH protocol version string (updated) Updated patch for option description and portrevision bump
Created attachment 146507 [details] poudriere build log Poudriere build log. Most contents of make.conf redacted because I don't want my system details public, hope that is okay. I can provide privately if needed, but the package built, I installed and tested it on a client system. Thanks.
Created attachment 146576 [details] Patch to allow bare SSH protocol version string (update 2) I realized the option description was getting truncated in the 'make config' dialog. Changed wording to make it fit. Tested.
over to maintainer
I'd rather have VersionAddendum fixed so this is a runtime change.
Created attachment 149338 [details] patch for Makefile Removes the existing extra VersionAddendum VersionAddendum now handled as in base by setting a default in version.h and applying it in servconf.h
Created attachment 149339 [details] Patch for the servconf.c patch
Created attachment 149340 [details] Build log for patched version Built on a fresh FreeBSD 10.1-RELEASE $ /usr/local/bin/ssh -v localhost OpenSSH_6.6.1, LibreSSL 2.1 debug1: Reading configuration data /usr/local/etc/ssh/ssh_config debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/bernard/.ssh/id_rsa type 1 debug1: identity file /home/bernard/.ssh/id_rsa-cert type -1 debug1: identity file /home/bernard/.ssh/id_dsa type -1 debug1: identity file /home/bernard/.ssh/id_dsa-cert type -1 debug1: identity file /home/bernard/.ssh/id_ecdsa type -1 debug1: identity file /home/bernard/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/bernard/.ssh/id_ed25519 type 4 debug1: identity file /home/bernard/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1-hpn14v2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1-hpn14v2 FreeBSD-openssh-portable-6.6.p1_4,1 debug1: match: OpenSSH_6.6.1p1-hpn14v2 FreeBSD-openssh-portable-6.6.p1_4,1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: AUTH STATE IS 0 debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: ssh_ecdsa_verify: signature correct debug1: Server host key: ECDSA-CERT 41:c1:b8:f2:6c:03:da:eb:d3:b3:f5:3a:23:87:12:05 debug1: No matching CA found. Retry with plain key debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/bernard/.ssh/known_hosts:8 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/bernard/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: key_parse_private2: missing begin marker debug1: key_parse_private_pem: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/bernard/.ssh/id_rsa': debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Single to Multithread CTR cipher swap - client request debug1: Authentication succeeded (publickey). Authenticated to localhost ([127.0.0.1]:22). debug1: Final hpn_buffer_size = 2097152 debug1: HPN Disabled: 0, HPN Buffer Size: 2097152 debug1: channel 0: new [client-session] debug1: Enabled Dynamic Window Scaling debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: need rekeying debug1: SSH2_MSG_KEXINIT sent debug1: rekeying in progress debug1: SSH2_MSG_KEXINIT received debug1: AUTH STATE IS 1 debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: ssh_ecdsa_verify: signature correct debug1: Server host key: ECDSA-CERT 41:c1:b8:f2:6c:03:da:eb:d3:b3:f5:3a:23:87:12:05 debug1: No matching CA found. Retry with plain key debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/bernard/.ssh/known_hosts:8 debug1: ssh_ecdsa_verify: signature correct debug1: set_newkeys: rekeying debug1: spawned a thread debug1: spawned a thread debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: set_newkeys: rekeying debug1: spawned a thread debug1: spawned a thread debug1: SSH2_MSG_NEWKEYS received Last login: Wed Nov 12 21:41:29 2014 from localhost FreeBSD 10.1-RELEASE (BEASTIE101) #0 r264324M: Tue Nov 11 13:46:58 CET 2014
(In reply to Bernard Spil from comment #8) This patch is likely what I want. As I mentioned to Bernard on IRC the other day I am planning to get this issue resolved before updating to 6.8 very soon.
A commit references this bug: Author: bdrewery Date: Mon Mar 23 02:45:13 UTC 2015 New revision: 280360 URL: https://svnweb.freebsd.org/changeset/base/280360 Log: Document "none" for VersionAddendum. PR: 193127 MFC after: 2 weeks Changes: head/crypto/openssh/ssh_config.5 head/crypto/openssh/sshd_config.5
For reference, the attached patches have several issues. The Makefile change has a NOP sed. The servconf.c patch fails to patch with X509 at least. There is no manpage or sshd_config update. I am adding all of this. There is a good reason this was not rushed in.
A commit references this bug: Author: bdrewery Date: Mon Mar 23 04:23:11 UTC 2015 New revision: 381981 URL: https://svnweb.freebsd.org/changeset/ports/381981 Log: Stop forcing the port version string into the server banner. The port now uses VersionAddendum in the sshd_config to allow overriding this value. Using "none" allows disabling the default of the port version string. The default is kept to show the port version string to remain close to the base version. Support for the client VersionAddendum may be added soon as well to better match base and not give surprises when switching from base to the port. PR: 193127 Requested by: many, including myself when this was broken years ago. Changes: head/UPDATING head/security/openssh-portable/Makefile head/security/openssh-portable/files/patch-servconf.c head/security/openssh-portable/files/patch-sshd_config.5
It's in. You can now override it with your own value or "none" (no quotes) in your sshd_config.
A commit references this bug: Author: bdrewery Date: Sun Mar 29 04:17:55 UTC 2015 New revision: 382566 URL: https://svnweb.freebsd.org/changeset/ports/382566 Log: Make the VersionAddendum fix use the proper default. Once I ran into the X509 issue previously I failed to retest that the patch worked. PR: 193127 Changes: head/security/openssh-portable/Makefile head/security/openssh-portable/files/extra-patch-version-addendum