Timing of banner

Ángel González keisial at gmail.com
Thu Nov 8 08:28:45 EST 2012

On 07/11/12 20:28, Bob Rasmussen wrote:
> I'd like to revisit this issue, as it has come up from another customer.
> The Issue: the customer (and their lawyers) would like to issue a banner 
> to be displayed to a user BEFORE the user attempts to authenticate to the 
> customer's server. This may be a legal disclaimer, terms and conditions, 
> or whatever. The current design of sshd prevents this, and will issue a 
> banner only after the user has sent a username.
> Earlier responses: One was that the current design allows different 
> banners on a per-user basis. Perhaps that's important. Other responses had 
> to do with security implications. I think those are not relevant to the 
> issue.
> The spec: RFC4252, section 5.4, includes these statements:
>    "In some jurisdictions, sending a warning message before
>    authentication may be relevant for getting legal protection."
>    "This message contains text to be displayed to the client user before 
>    authentication is attempted." Note *before*.
> I would argue that the current implementation does not comply with the 
> standard.
> One possible compromise would be to have a config switch to control 
> sending the "issue" (such as /etc/issue) if it exists.	
> Please consider making this change.

If you are willing to patch your openssh, I think the change is as
simple as adding
on the top of sshd_exchange_identification (about line 409 of sshd.c)

   #define MESSAGE "Whatever text you want to send, encoded in ISO-10646
    if (roaming_atomicio(vwrite, sock_out, MESSAGE "\r\n",
sizeof(MESSAGE) + 1)  != sizeof(MESSAGE) + 1) {
        logit("Could not sent legalese to %s", get_remote_ipaddr());

It is up to the client to show or ignore the message, but all clients
must be able to cope
with them (rfc4253 4.2). You can't send the banner any earlier.

As an alternative to patching ssh, you could run sshd from inetd, and
use a shell script wrapper
which simply outputs your banner before passing control to sshd.

More information about the openssh-unix-dev mailing list