Re: Can I prevent the ssh client from silencing banner in interactive mode?



Hello,

Yes I understand. A client can suppress the banner. If you control the client, compile out the options (patch it). If you don't or can't do the below. From what you require see #2.

1) setup motd (/etc/motd). One can symlink /etc/issue.net to /etc/ motd for ease.

and/or

2) setup allowed login shells initial startup script (system "/etc/ profile" - not user)

From the Bash Reference Manual,
6.3.2 Is this Shell Interactive?

To determine within a startup script whether or not Bash is running interactively, test the value of the `-' special parameter. It contains i when the shell is interactive. For example:



case "$-" in
*i*) echo This shell is interactive ;;
*) echo This shell is not interactive ;;
esac

Alternatively, startup scripts may examine the variable PS1; it is unset in non-interactive shells, and set in interactive shells. Thus:



if [ -z "$PS1" ]; then
echo This shell is not interactive
else
echo This shell is interactive
fi


*For the faint of heart*

3) Try this: Enable the sshd directive "UseLogin yes". This calls / bin/login in somewhat the same way that good old telnetd had. This is less then ideal and I don't recommend it.

*For the advanced Admin*
4) Be a tricky admin and make `ssh` a script that extracts the user's program arguments then calls the real ssh in a controlled manner. Note, a tricky user can always call the real `ssh` themselves; however, if one used SELinux or some other MAC this may also be controlled. Also, avoid setting SUID on the script.

*For the programmer*
5) remove the options then recompile the ssh client. This works until a user installes their own unpatched copy of the ssh client.



Thank you.

Regards,

--
Jason Muskat | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@xxxxxxxxxxx
m. 416 .414 .9934

http://TechDude.Ca/


On 29-Mar-07, at 6:37 PM, Bartick, Brett wrote:

Thanks for writing back, but I think you misunderstood my question.

On the system running the sshd daemon, sshd_config is setup to display
the banner. What I'm looking for is the following.

1. If I issue the command "ssh -q <hostname>", I still want our legal
banner to be displayed.
2. If I issue the command ssh -o loglevel=quiet", I still want our legal
banner to be displayed.

The banner will not be displayed if you issue the commands above. I
always want to display the banner if the user is in interactive mode
(login shell). But if the user was in non-interactive mode, I would want
the above commands to operate as they currently do.

Brett Bartick

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jason Muskat, GCFA, GCUX, de VE3TSJ
Sent: Thursday, March 29, 2007 3:04 AM
To: Bartick, Brett
Cc: secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: Can I prevent the ssh client from silencing banner in
interactive mode?

Hello,

SSH does have 'banner'. This is a pre login (pre-authentication
banner) message.

Example:
Banner /etc/issue.net

The contents of /etc/issue.net will be sent to the client upon connect
and before entering a password.

SSH also has 'PrintMotd'. This is a post login "message of the day"
(post-authentication banner) message. The file's location is system
dependent and is often located at /etc/motd.

Example:
PrintMotd yes

The contents of MOTD will be sent to the client after successfully
logging in before running the users shell.

Also, nothing is stopping an Admin from editing the "/etc/ profile" (or
whatnot) file adding in banner as well (echo statements).


One cannot control the client software. Don't try to. Control what
you can, the server. Using the three banners as above shows that
every effort to display a banner was made.


Regards,

--
Jason Muskat | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@xxxxxxxxxxx
m. 416 .414 .9934

http://TechDude.Ca/


On 23-Mar-07, at 2:07 PM, Bartick, Brett wrote:

In today's world of legal MumboJumbo and Sarbanes-Oxley, I like to
know
if it's possible to always display the banner when one connects in an
interactive mode and prevent the '-q' option or Loglevel quite in the
config file from being enforced? Basically, we'd like to always
display
a legal banner when one connects interactively to our systems.

OS: Solaris 2.8
SSH version: OpenSSH_4.5p1, OpenSSL 0.9.7m 23 Feb 2007

Regards,

Brett


PLEASE READ: This message is for the named person's use only. It
may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by
any mistransmission. If you receive this message in error, please
delete it and all copies from your system, destroy any hard copies
and notify the sender. You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if
you are not the intended recipient. Nomura Holding America Inc.,
Nomura Securities International, Inc, and their respective
subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this
message are those of the individual sender, except where the
message states otherwise and the sender is authorized to state the
views of such entity. Unless otherwise stated, any pricing
information in this message is indicative only, is subject to
change and does not constitute an offer to deal at any price
quoted. Any reference to the terms of executed transactions should
be treated as preliminary only and subject to our formal written
confirmation.



PLEASE READ: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please delete it and all copies from your system, destroy any hard copies and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Nomura Holding America Inc., Nomura Securities International, Inc, and their respective subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state the views of such entity. Unless otherwise stated, any pricing information in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation.



Relevant Pages