Timing of banner

Bob Rasmussen ras at anzio.com
Thu Nov 8 06:28:26 EST 2012 

I'd like to revisit this issue, as it has come up from another customer.

The Issue: the customer (and their lawyers) would like to issue a banner 
to be displayed to a user BEFORE the user attempts to authenticate to the 
customer's server. This may be a legal disclaimer, terms and conditions, 
or whatever. The current design of sshd prevents this, and will issue a 
banner only after the user has sent a username.

Earlier responses: One was that the current design allows different 
banners on a per-user basis. Perhaps that's important. Other responses had 
to do with security implications. I think those are not relevant to the 
issue.

The spec: RFC4252, section 5.4, includes these statements:

   "In some jurisdictions, sending a warning message before
   authentication may be relevant for getting legal protection."

   "This message contains text to be displayed to the client user before 
   authentication is attempted." Note *before*.

I would argue that the current implementation does not comply with the 
standard.

One possible compromise would be to have a config switch to control 
sending the "issue" (such as /etc/issue) if it exists.	

Please consider making this change.

On Fri, 1 Jul 2011, Daniel Kahn Gillmor wrote:

> On 07/01/2011 03:20 PM, Bob Rasmussen wrote:
> > My user's point has a certain validity, I think: the user isn't seeing 
> > what they're logging into before giving a username. One might even 
> > consider it a security issue, identifying yourself before you know who 
> > you're talking to (although I realize the fingerprint verification 
> > mitigates this).
> 
> From a security standpoint, the fingerprint verification doesn't just
> mitigate this; it is the *only* thing that addresses this security
> concern.  Reliance on a trivially replayable banner for identifying the
> host would be an insecure practice.
> 
> i haven't thought through the rest of the tradeoffs (there may well be a
> case to be made for an earlier banner in the opening
> handshake/negotiation); i just wanted to be clear that the argument by
> security (for users to identify the host) is flawed.
> 
> 	--dkg
> 
> 

Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras at anzio.com
 company e-mail: rsi at anzio.com
          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
            fax: (US) 503-624-0760
            web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                 10240 SW Nimbus, Suite L9
                 Portland, OR  97223  USA

More information about the openssh-unix-dev mailing list