From ad7dcdb6283df7a9c12f8681f4057ad4b4c24a51 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 20 Apr 2024 17:15:15 +0200 Subject: [PATCH] ssh: remove the ability to fully customize the software version many clients rely on the version string to enable/disable some features. We only allow to hide the version number, clients must be able to reliably identify SFTPGo Signed-off-by: Nicola Murino --- docs/full-configuration.md | 2 +- internal/config/config.go | 6 +----- internal/config/config_test.go | 2 +- internal/sftpd/server.go | 10 +++++++++- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/full-configuration.md b/docs/full-configuration.md index 121250cf..c4358e0a 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -139,7 +139,7 @@ The configuration file contains the following sections: - `address`, string. Leave blank to listen on all available network interfaces. Default: "" - `apply_proxy_config`, boolean. If enabled the common proxy configuration, if any, will be applied. Default `true` - `max_auth_tries` integer. Maximum number of authentication attempts permitted per connection. If set to a negative number, the number of attempts is unlimited. If set to zero, the number of attempts is limited to 6. - - `banner`, string. Identification string used by the server. Leave empty to use the default banner. Default `SFTPGo_`, for example `SSH-2.0-SFTPGo_0.9.5` + - `banner`, string. Allow some degree of customization for the advertised software version. Set to `short` to hide the SFTPGo version number, if different from `short` the default will be used. The default is `SFTPGo_`, for example `SSH-2.0-SFTPGo_2.6.0`, if set to `short` the identification string will be `SSH-2.0-SFTPGo`. In previous SFTPGo releases we allowed to customize the whole software version, this is a bad idea because many clients rely on the version string to enable/disable some features. - `host_keys`, list of strings. It contains the daemon's private host keys. Each host key can be defined as a path relative to the configuration directory or an absolute one. If empty, the daemon will search or try to generate `id_rsa`, `id_ecdsa` and `id_ed25519` keys inside the configuration directory. If you configure absolute paths to files named `id_rsa`, `id_ecdsa` and/or `id_ed25519` then SFTPGo will try to generate these keys using the default settings. - `host_certificates`, list of strings. Public host certificates. Each certificate can be defined as a path relative to the configuration directory or an absolute one. Certificate's public key must match a private host key otherwise it will be silently ignored. Default: empty. - `host_key_algorithms`, list of strings. Public key algorithms that the server will accept for host key authentication. The supported values are: `rsa-sha2-512-cert-v01@openssh.com`, `rsa-sha2-256-cert-v01@openssh.com`, `ssh-rsa-cert-v01@openssh.com`, `ssh-dss-cert-v01@openssh.com`, `ecdsa-sha2-nistp256-cert-v01@openssh.com`, `ecdsa-sha2-nistp384-cert-v01@openssh.com`, `ecdsa-sha2-nistp521-cert-v01@openssh.com`, `ssh-ed25519-cert-v01@openssh.com`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `rsa-sha2-512`, `rsa-sha2-256`, `ssh-rsa`, `ssh-dss`, `ssh-ed25519`. Certificate algorithms are listed for backward compatibility purposes only, they are not used. Default values: `rsa-sha2-512`, `rsa-sha2-256`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`. diff --git a/internal/config/config.go b/internal/config/config.go index 846e5d58..92f368a9 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -58,7 +58,6 @@ const ( var ( globalConf globalConfig - defaultSFTPDBanner = fmt.Sprintf("SFTPGo_%v", version.Get().Version) defaultFTPDBanner = fmt.Sprintf("SFTPGo %v ready", version.Get().Version) defaultInstallCodeHint = "Installation code" defaultSFTPDBinding = sftpd.Binding{ @@ -255,7 +254,7 @@ func Init() { SFTPD: sftpd.Configuration{ Bindings: []sftpd.Binding{defaultSFTPDBinding}, MaxAuthTries: 0, - Banner: defaultSFTPDBanner, + Banner: "", HostKeys: []string{}, HostCertificates: []string{}, HostKeyAlgorithms: []string{}, @@ -761,9 +760,6 @@ func isExternalAuthScopeValid() bool { } func resetInvalidConfigs() { - if strings.TrimSpace(globalConf.SFTPD.Banner) == "" { - globalConf.SFTPD.Banner = defaultSFTPDBanner - } if strings.TrimSpace(globalConf.FTPD.Banner) == "" { globalConf.FTPD.Banner = defaultFTPDBanner } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 475755b6..03fd4c1b 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -141,7 +141,7 @@ func TestEmptyBanner(t *testing.T) { err = config.LoadConfig(configDir, confName) assert.NoError(t, err) sftpdConf = config.GetSFTPDConfig() - assert.NotEmpty(t, strings.TrimSpace(sftpdConf.Banner)) + assert.Empty(t, strings.TrimSpace(sftpdConf.Banner)) err = os.Remove(configFilePath) assert.NoError(t, err) diff --git a/internal/sftpd/server.go b/internal/sftpd/server.go index 8d7861a5..8b1f2eee 100644 --- a/internal/sftpd/server.go +++ b/internal/sftpd/server.go @@ -41,6 +41,7 @@ import ( "github.com/drakkan/sftpgo/v2/internal/metric" "github.com/drakkan/sftpgo/v2/internal/plugin" "github.com/drakkan/sftpgo/v2/internal/util" + "github.com/drakkan/sftpgo/v2/internal/version" "github.com/drakkan/sftpgo/v2/internal/vfs" ) @@ -233,6 +234,13 @@ func (c *Configuration) ShouldBind() bool { return false } +func (c *Configuration) getServerVersion() string { + if c.Banner == "short" { + return "SSH-2.0-SFTPGo" + } + return fmt.Sprintf("SSH-2.0-SFTPGo_%v", version.Get().Version) +} + func (c *Configuration) getServerConfig() *ssh.ServerConfig { serverConfig := &ssh.ServerConfig{ NoClientAuth: false, @@ -250,7 +258,7 @@ func (c *Configuration) getServerConfig() *ssh.ServerConfig { return sp, nil }, - ServerVersion: fmt.Sprintf("SSH-2.0-%s", c.Banner), + ServerVersion: c.getServerVersion(), } if c.PasswordAuthentication {