Index: kex.c =================================================================== --- kex.c +++ kex.c @@ -1189,7 +1189,7 @@ version_addendum = NULL; if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, - version_addendum == NULL ? "" : " ", + (version_addendum == NULL || *version_addendum == '\0') ? "" : " ", version_addendum == NULL ? "" : version_addendum)) != 0) { oerrno = errno; error_fr(r, "sshbuf_putf"); Index: readconf.h =================================================================== --- readconf.h +++ readconf.h @@ -168,6 +168,8 @@ char *hostbased_accepted_algos; char *pubkey_accepted_algos; + char *version_addendum; /* Appended to SSH banner */ + char *jump_user; char *jump_host; int jump_port; Index: readconf.c =================================================================== --- readconf.c +++ readconf.c @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" #include "digest.h" +#include "version.h" /* Format of the configuration file: @@ -141,6 +142,7 @@ typedef enum { oBadOption, + oVersionAddendum, oHost, oMatch, oInclude, oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, @@ -316,6 +318,7 @@ { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, + { "versionaddendum", oVersionAddendum }, { NULL, oBadOption } }; @@ -1861,6 +1864,22 @@ multistate_ptr = multistate_requesttty; goto parse_multistate; + case oVersionAddendum: + if (s == NULL) + fatal("%.200s line %d: Missing argument.", filename, + linenum); + len = strspn(s, WHITESPACE); + if (*activep && options->version_addendum == NULL) { + if (strcasecmp(s + len, "none") == 0) + options->version_addendum = xstrdup(""); + else if (strchr(s + len, '\r') != NULL) + fatal("%.200s line %d: Invalid argument", + filename, linenum); + else + options->version_addendum = xstrdup(s + len); + } + return 0; + case oIgnoreUnknown: charptr = &options->ignored_unknown; goto parse_string; @@ -2166,6 +2185,7 @@ initialize_options(Options * options) { memset(options, 'X', sizeof(*options)); + options->version_addendum = NULL; options->forward_agent = -1; options->forward_agent_sock_path = NULL; options->forward_x11 = -1; @@ -2522,6 +2542,8 @@ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ /* options->preferred_authentications will be set in ssh */ + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); /* success */ ret = 0; Index: servconf.c =================================================================== --- servconf.c +++ servconf.c @@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" +#include "version.h" static void add_listen_addr(ServerOptions *, const char *, const char *, int); @@ -431,7 +432,7 @@ if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_DSCP_CS1; if (options->version_addendum == NULL) - options->version_addendum = xstrdup(""); + options->version_addendum = xstrdup(SSH_VERSION_FREEBSD); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) Index: ssh.1 =================================================================== --- ssh.1 +++ ssh.1 @@ -558,6 +558,7 @@ .It User .It UserKnownHostsFile .It VerifyHostKeyDNS +.It VersionAddendum .It VisualHostKey .It XAuthLocation .El Index: ssh.c =================================================================== --- ssh.c +++ ssh.c @@ -888,8 +888,14 @@ } break; case 'V': - fprintf(stderr, "%s, %s\n", - SSH_RELEASE, SSH_OPENSSL_VERSION); + if (options.version_addendum && + *options.version_addendum != '\0') + fprintf(stderr, "%s %s, %s\n", SSH_RELEASE, + options.version_addendum, + OPENSSL_VERSION_STRING); + else + fprintf(stderr, "%s, %s\n", SSH_RELEASE, + OPENSSL_VERSION_STRING); if (opt == 'V') exit(0); break; @@ -1150,7 +1156,8 @@ !use_syslog); if (debug_flag) - logit("%s, %s", SSH_RELEASE, SSH_OPENSSL_VERSION); + /* version_addendum is always NULL at this point */ + logit("%s, %s", SSH_RELEASE, OPENSSL_VERSION_STRING); /* Parse the configuration files */ process_config_files(host_arg, pw, 0, &want_final_pass); Index: ssh_config =================================================================== --- ssh_config +++ ssh_config @@ -44,3 +44,4 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h # UserKnownHostsFile ~/.ssh/known_hosts.d/%k +# VersionAddendum FreeBSD-20200214 Index: ssh_config.5 =================================================================== --- ssh_config.5 +++ ssh_config.5 @@ -1875,6 +1875,14 @@ .Sx VERIFYING HOST KEYS in .Xr ssh 1 . +.It Cm VersionAddendum +Specifies a string to append to the regular version string to identify +OS- or site-specific modifications. +The default is +.Dq FreeBSD-20180909 . +The value +.Cm none +may be used to disable this. .It Cm VisualHostKey If this flag is set to .Cm yes , Index: sshconnect.c =================================================================== --- sshconnect.c +++ sshconnect.c @@ -1560,7 +1560,8 @@ lowercase(host); /* Exchange protocol version identification strings with the server. */ - if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0) + if ((r = kex_exchange_identification(ssh, timeout_ms, + options.version_addendum)) != 0) sshpkt_fatal(ssh, r, "banner exchange"); /* Put the connection into non-blocking mode. */ Index: sshd.c =================================================================== --- sshd.c +++ sshd.c @@ -900,7 +900,13 @@ static void usage(void) { - fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION); + if (options.version_addendum && *options.version_addendum != '\0') + fprintf(stderr, "%s %s, %s\n", + SSH_RELEASE, + options.version_addendum, OPENSSL_VERSION_STRING); + else + fprintf(stderr, "%s, %s\n", + SSH_RELEASE, OPENSSL_VERSION_STRING); fprintf(stderr, "usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" Index: sshd_config =================================================================== --- sshd_config +++ sshd_config @@ -100,7 +100,7 @@ #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum none +#VersionAddendum FreeBSD-20200214 # no default banner path #Banner none Index: sshd_config.5 =================================================================== --- sshd_config.5 +++ sshd_config.5 @@ -1772,7 +1772,10 @@ Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Cm none . +.Qq FreeBSD-20180909 . +The value +.Cm none +may be used to disable this. .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's Index: version.h =================================================================== --- version.h +++ version.h @@ -4,3 +4,11 @@ #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE + +#define SSH_VERSION_FREEBSD "FreeBSD-20200214" + +#ifdef WITH_OPENSSL +#define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION) +#else +#define OPENSSL_VERSION_STRING "without OpenSSL" +#endif