Timing of banner

[Bob Rasmussen]

Damien, thanks for the explanation.

My user's point has a certain validity, I think: the user isn't seeing 
what they're logging into before giving a username. One might even 
consider it a security issue, identifying yourself before you know who 
you're talking to (although I realize the fingerprint verification 
mitigates this).

I tried to achieve my goal by sending a 'none' authentication, getting the 
banner, then sending a different type (e.g., keyboard-interactive), but 
the server detected the change and closed the session. Is it possible that 
by loosening that restriction in the sshd, both goals could be met?

On Sat, 2 Jul 2011, Damien Miller wrote:

> On Fri, 1 Jul 2011, Bob Rasmussen wrote:
> 
> > A user at a Windows PC uses our SSH client software (Anzio) to access a 
> > Linux sshd. User would like the banner from the server to display BEFORE 
> > entering a login name.
> > 
> > According to the SSH spec, this should be allowed. But the OpenSSH source 
> > seems to have specifically prevented this. Is there a good reason for 
> > this?
> 
> We send the banner after the receipt of the first user authentication
> request. RFC4252 could be interpreted to allow sending the banner sooner,
> right after the "ssh-userauth" service has been requested, but we haven't
> tested this and doing so would remove the ability to vary the banner
> depending on the user who is connecting (as we can now with sshd_config
> "Banner" statements inside "Match" blocks).
> 
> For the latter reason, we don't have any plans to send the banner earlier.
> 
> -d
> 
> 

Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras at anzio.com
 company e-mail: rsi at anzio.com
          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
            fax: (US) 503-624-0760
            web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                 10240 SW Nimbus, Suite L9
                 Portland, OR  97223  USA