[Bug 225] New: Supression of login warning banner for noninteractive commands
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Apr 23 10:55:54 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=225
Summary: Supression of login warning banner for noninteractive
commands
Product: Portable OpenSSH
Version: 3.0.2p1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P4
Component: ssh
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: cowboym at shmoo.com
The Banner directive available in SSH v2 provides a nice, easy method for
displaying login banners that are required in some corporate environments for
security policy compliance.
However, when writing scripts that connect noninteractively to remote hosts,
the banner is still displayed. If these scripts are to be run from crontab,
for example, the banner output is mailed to the user since it's treated as
error output. If the scripts issuing the remote commands via ssh attempt to
supress the banner output by piping stderr to /dev/null, they also eliminate
any legitimate error output created by the commands executed on the remote
machine.
It would be desirable to modify the ssh client to silently discard any banner
messages received from the server if in fact the client is executing a
noninteractive command on the remote machine.
For example, here's an interactive ssh session:
catbert$ ssh dilbert
***********************************
* This is a restricted host *
***********************************
dilbert$
And here's a noninteractive session:
catbert$ ssh dilbert /bin/date
***********************************
* This is a restricted host *
***********************************
Mon Apr 22 16:52:11 AKDT 2002
catbert$
Here's what would be desirable:
catbert$ ssh dilbert /bin/date
Mon Apr 22 16:52:11 AKDT 2002
catbert$
So, to effect this change, I created the following patchfile. Granted, there
may be some installation somewhere that absolutely requires login banners for
everything, even noninteractive sessions, but I'm convinced that the number of
people in the same boat as myself far outnumber these select few, so maybe the
supression of the banners could be the default behavior, and displaying them
(for noninteractive sessions) could be a compile-time option.
********************************
--- ssh.c_orig Mon Apr 22 16:18:41 2002
+++ ssh.c Mon Apr 22 16:18:54 2002
@@ -113,6 +113,12 @@
int fork_after_authentication_flag = 0;
/*
+ * Flag to indicate the login banner from the server should not be displayed.
+ * This is usedful when issuing command on remote hosts noninteractively.
+ */
+int supress_banner = 0;
+
+/*
* General data structure for command line options and options configurable
* in configuration files. See readconf.h.
*/
@@ -576,6 +582,7 @@
}
} else {
/* A command has been specified. Store it into the buffer. */
+ supress_banner = 1;
for (i = 0; i < ac; i++) {
if (i)
buffer_append(&command, " ", 1);
--- sshconnect2.c_orig Mon Apr 22 16:18:50 2002
+++ sshconnect2.c Mon Apr 22 16:18:58 2002
@@ -57,6 +57,7 @@
/* import */
extern char *client_version_string;
extern char *server_version_string;
+extern int supress_banner;
extern Options options;
/*
@@ -320,7 +321,10 @@
debug3("input_userauth_banner");
msg = packet_get_string(NULL);
lang = packet_get_string(NULL);
- fprintf(stderr, "%s", msg);
+ if (supress_banner == 1)
+ debug3("noninteractive shell; banner supressed.");
+ else
+ fprintf(stderr, "%s", msg);
xfree(msg);
xfree(lang);
}
****************************
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list