SSHD Banners and rsync - SSH

This is a discussion on SSHD Banners and rsync - SSH ; I've searched for relevant topics and found a few on point. However, of the recommendations, "ssh -q" doesn't supress the banner printing and while redirecting stderr to /dev/null does supress the banner, it also supresses any legitimate error messages. Is ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: SSHD Banners and rsync

  1. SSHD Banners and rsync

    I've searched for relevant topics and found a few on point. However,
    of the recommendations, "ssh -q" doesn't supress the banner printing
    and while redirecting stderr to /dev/null does supress the banner, it
    also supresses any legitimate error messages.

    Is there a way to configure SSHD to only display the banner for
    interactive sessions (those without a command specified on the command
    line), or to configure SSHD to not display the banner for certain
    subnets (we only do rsync within our internal network).

    Thanks for any advice or comments.

    -Dave H.


  2. Re: SSHD Banners and rsync

    Dave Hammond schrieb:
    > I've searched for relevant topics and found a few on point. However,
    > of the recommendations, "ssh -q" doesn't supress the banner printing
    > and while redirecting stderr to /dev/null does supress the banner, it
    > also supresses any legitimate error messages.
    >
    > Is there a way to configure SSHD to only display the banner for
    > interactive sessions (those without a command specified on the command
    > line), or to configure SSHD to not display the banner for certain
    > subnets (we only do rsync within our internal network).


    on solaris you can disable the banner within the sshd_config and this
    does not suppress the banner in interactive sessions as this is done by
    the shell or login prozess when it is configured by /etc/default/login.

  3. Re: SSHD Banners and rsync

    >on solaris you can disable the banner within the >sshd_config and this
    >does not suppress the banner in interactive sessions [...]


    I should have mentioned that the servers in question run Linux. For
    ssh logins the banner is only displayed if it is enabled in
    sshd_config.

    For the time being I have worked around it by writing an ssh wrapper
    that redirects stderr to /dev/null and specifying the wrapper program
    in the rsync command line. This works, but has the unforunate
    side-effect of hiding any legitimate ssh error messages

    -Dave H.


  4. Re: SSHD Banners and rsync


    There may be some confusion here, caused by ambiguity of the term
    "banner." The SSH user authentication protocol (SSH-AUTH) has a mechanism
    to send a "banner" to the client. This is done as a structured message
    within the protocol, and "ssh -q" does suppress displaying it. (see the
    sshd_config "Banner" option)

    More often, however, when people say "banners," they mean messages printed
    out by the shell when it starts up, because of code in system or per-user
    startup files. SSH, obviously, has no control over that. The issue here
    is that such startup files are poorly written: they should never print
    anything intended to be read by a human unless the connection is
    interactive, usually signalled by the presence of a tty. E.g.:

    tty -s && echo "Hi there! You're a human. Welcome to our system."

    Otherwise, such startup files are bound to foul up connections intended
    for program-to-program communication, by injecting junk into the
    connection. See also:

    http://www.snailbook.com/faq/sftp-corruption.auto.html

    --
    Richard Silverman
    res@qoxp.net


  5. Re: SSHD Banners and rsync

    >There may be some confusion here, caused by ambiguity of the term
    >"banner." The SSH user authentication protocol (SSH-AUTH) has a mechanism
    >to send a "banner" to the client. This is done as a structured message
    >within the protocol, and "ssh -q" does suppress displaying it. (see the
    >sshd_config "Banner" option)


    This explanation is counter to what I am experiencing with Linux (both
    Redhat and SuSE flavors). Given an /etc/issue file contain several
    paragraphs of legal warning jargon and a commented sshd_config Banner
    entry, an ssh session startup appears:

    daveh@lxrnd1:~> ssh plnet1
    daveh@plnet1's password:
    Last login: Fri Mar 17 14:37:40 2006 from dhcp-128079.chi.com
    daveh@plnet1:~>

    Modifying the sshd_config Banner entry to point to /etc/issue, the
    session startup now appears:

    daveh@lxrnd1:~> ssh plnet1
    ************************************************** *************************
    NOTICE TO USERS

    This computer system is the property of XXXXXXXXXXXXXXXXXX It is for
    authorized use only. Users (authorized or unauthorized) have no
    explicit
    or implicit expectation of privacy.

    [...]

    ************************************************** ***************************
    daveh@plnet1's password:

    Further, if I add the "-q" no change occurs:

    daveh@lxrnd1:~> ssh -q plnet1
    ************************************************** *************************
    NOTICE TO USERS

    This computer system is the property of XXXXXXXXXXXXXXXXXX It is for
    authorized use only. Users (authorized or unauthorized) have no
    explicit
    or implicit expectation of privacy.

    [...]

    ************************************************** ***************************
    daveh@plnet1's password:

    As for the sshd_config man page, the Banner section does not mention
    being suppressed by "-q":

    Banner In some jurisdictions, sending a warning message before
    authenti*cation
    may be relevant for getting legal protection. The
    con*tents of the specified
    file are sent to the remote user before authentication is
    allowed. This option is
    only available for protocol version 2. By default, no
    banner is displayed.

    This would seem to describe the exact usage that I am experiencing. Is
    this counter to the SSH specification?


  6. Re: SSHD Banners and rsync

    On 2006-03-16, Dave Hammond wrote:
    > I've searched for relevant topics and found a few on point. However,
    > of the recommendations, "ssh -q" doesn't supress the banner printing
    > and while redirecting stderr to /dev/null does supress the banner, it
    > also supresses any legitimate error messages.


    Iin OpenSSH, ssh -q suppressing the SSH2 protocol banner is version
    dependant. 3.8 is the first version that does it, what version are
    you using?

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  7. Re: SSHD Banners and rsync

    >In OpenSSH, ssh -q suppressing the SSH2 protocol banner is version
    >dependant. 3.8 is the first version that does it, what version are
    >you using?


    And that's the answer. Our SuSE version 9 servers are running openSSH
    4.1 and the "-q" does supress the banner on those machines. Those
    running SuSE version 8 (on which we are having the problem, and which
    are due to be upgraded in a week or so) have openSSH 3.4p1.

    Thanks!

    -Dave H.


+ Reply to Thread