session ssh UPDATE add ssh banner support

Author: roman

modules/[email protected]

@@ -269,6 +269,23 @@ module libnetconf2-netconf-server {
     }
   }
 
+  grouping ssh-server-banner-grouping {
+    description
+      "Grouping for the SSH server banner.";
+
+    leaf banner {
+      type string {
+        length "1..247";
+      }
+      description
+        "The banner that will be sent to the client when connecting to the server.
+         If not set, the libnetconf2 default with its version will be used.";
+
+      reference
+        "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, section 4.2.";
+    }
+  }
+
   grouping system-auth-public-keys-grouping {
     description
       "Grouping for using the system configured keys in the SSH public key authentication method.";
@@ -350,6 +367,16 @@ module libnetconf2-netconf-server {
     uses ssh-authentication-params-grouping;
   }
 
+  augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
+          "/ncs:ssh/ncs:ssh-server-parameters/ncs:server-identity" {
+    uses ssh-server-banner-grouping;
+  }
+
+  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
+          "/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:server-identity" {
+    uses ssh-authentication-params-grouping;
+  }
+
   augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters" +
           "/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
     case system-auth-public-keys {

src/server_config.c

@@ -663,6 +663,8 @@ nc_server_config_del_ssh_opts(struct nc_bind *bind, struct nc_server_ssh_opts *o
     free(opts->encryption_algs);
     free(opts->mac_algs);
 
+    free(opts->banner);
+
     free(opts);
 }
 
@@ -2970,6 +2972,43 @@ nc_server_config_asymmetric_key(const struct lyd_node *node, enum nc_operation o
     return ret;
 }
 
+static int
+nc_server_config_banner(const struct lyd_node *node, enum nc_operation op)
+{
+    int ret = 0;
+    struct nc_server_ssh_opts *opts;
+    struct nc_ch_client *ch_client = NULL;
+
+    assert(!strcmp(LYD_NAME(node), "banner"));
+
+    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
+        /* to avoid unlock on fail */
+        return 1;
+    }
+
+    if (nc_server_config_get_ssh_opts(node, ch_client, &opts)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+        free(opts->banner);
+        opts->banner = strdup(lyd_get_value(node));
+        NC_CHECK_ERRMEM_GOTO(!opts->banner, ret = 1, cleanup);
+    } else {
+        free(opts->banner);
+        opts->banner = NULL;
+    }
+
+cleanup:
+    if (is_ch(node)) {
+        /* UNLOCK */
+        nc_ch_client_unlock(ch_client);
+    }
+
+    return ret;
+}
+
 static int
 nc_server_config_client_authentication(const struct lyd_node *node, enum nc_operation op)
 {
@@ -3881,6 +3920,8 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, enum nc_opera
         ret = nc_server_config_auth_timeout(node, op);
     } else if (!strcmp(name, "asymmetric-key")) {
         ret = nc_server_config_asymmetric_key(node, op);
+    } else if (!strcmp(name, "banner")) {
+        ret = nc_server_config_banner(node, op);
     } else if (!strcmp(name, "ca-certs")) {
         ret = nc_server_config_ca_certs(node, op);
     } else if (!strcmp(name, "central-keystore-reference")) {

src/session.c

@@ -615,6 +615,29 @@ nc_session_get_port(const struct nc_session *session)
     return session->port;
 }
 
+#ifdef NC_ENABLED_SSH_TLS
+
+API const char *
+nc_session_ssh_get_banner(const struct nc_session *session)
+{
+    NC_CHECK_ARG_RET(NULL, session, NULL);
+
+    if (session->ti_type != NC_TI_SSH) {
+        ERR(NULL, "Cannot get the SSH banner of a non-SSH session.");
+        return NULL;
+    }
+
+    if (session->side == NC_SERVER) {
+        /* get the banner sent by the client */
+        return ssh_get_clientbanner(session->ti.libssh.session);
+    } else {
+        /* get the banner received from the server */
+        return ssh_get_serverbanner(session->ti.libssh.session);
+    }
+}
+
+#endif
+
 API const struct ly_ctx *
 nc_session_get_ctx(const struct nc_session *session)
 {

src/session.h

@@ -191,6 +191,18 @@ const char *nc_session_get_host(const struct nc_session *session);
  */
 uint16_t nc_session_get_port(const struct nc_session *session);
 
+#ifdef NC_ENABLED_SSH_TLS
+
+/**
+ * @brief Get the SSH banner sent by the peer.
+ *
+ * @param[in] session Session to get the banner from.
+ * @return SSH banner on success, NULL on error.
+ */
+const char *nc_session_ssh_get_banner(const struct nc_session *session);
+
+#endif
+
 /**
  * @brief Get session path (unix socket only).
  *

src/session_p.h

@@ -214,6 +214,8 @@ struct nc_server_ssh_opts {
     char *kex_algs;                         /**< Key exchange algorithms supported by the server. */
     char *mac_algs;                         /**< MAC algorithms supported by the server. */
 
+    char *banner;                           /**< SSH banner message. */
+
     uint16_t auth_timeout;                  /**< Authentication timeout. */
 };
 

src/session_server_ssh.c

@@ -42,6 +42,7 @@
 
 #include "compat.h"
 #include "log_p.h"
+#include "nc_version.h"
 #include "session.h"
 #include "session_p.h"
 #include "session_wrapper.h"
@@ -1918,7 +1919,7 @@ nc_accept_ssh_session(struct nc_session *session, struct nc_server_ssh_opts *opt
     ssh_bind sbind = NULL;
     int rc = 1, r;
     struct timespec ts_timeout;
-    const char *err_msg;
+    const char *err_msg, *banner;
 
     /* other transport-specific data */
     session->ti_type = NC_TI_SSH;
@@ -1960,6 +1961,17 @@ nc_accept_ssh_session(struct nc_session *session, struct nc_server_ssh_opts *opt
         goto cleanup;
     }
 
+    /* configure the ssh banner */
+    if (opts->banner) {
+        banner = opts->banner;
+    } else {
+        banner = "libnetconf2-" NC_VERSION;
+    }
+    if (ssh_bind_options_set(sbind, SSH_BIND_OPTIONS_BANNER, banner)) {
+        rc = -1;
+        goto cleanup;
+    }
+
     /* accept new connection on the bind */
     if (ssh_bind_accept_fd(sbind, session->ti.libssh.session, sock) == SSH_ERROR) {
         ERR(session, "SSH failed to accept a new connection (%s).", ssh_get_error(sbind));