Hello,
Yes I understand. A client can suppress the banner. If you control
the client, compile out the options (patch it). If you don't or
can't do the below. From what you require see #2.
1) setup motd (/etc/motd). One can symlink /etc/issue.net to /etc/
motd for ease.
and/or
2) setup allowed login shells initial startup script (system "/etc/
profile" - not user)
From the Bash Reference Manual,
6.3.2 Is this Shell Interactive?
To determine within a startup script whether or not Bash is running
interactively, test the value of the `-' special parameter. It
contains i when the shell is interactive. For example:
case "$-" in
*i*) echo This shell is interactive ;;
*) echo This shell is not interactive ;;
esac
Alternatively, startup scripts may examine the variable PS1; it is
unset in non-interactive shells, and set in interactive shells. Thus:
if [ -z "$PS1" ]; then
echo This shell is not interactive
else
echo This shell is interactive
fi
*For the faint of heart*
3) Try this: Enable the sshd directive "UseLogin yes". This calls /
bin/login in somewhat the same way that good old telnetd had. This is
less then ideal and I don't recommend it.
*For the advanced Admin*
4) Be a tricky admin and make `ssh` a script that extracts the user's
program arguments then calls the real ssh in a controlled manner.
Note, a tricky user can always call the real `ssh` themselves;
however, if one used SELinux or some other MAC this may also be
controlled. Also, avoid setting SUID on the script.
*For the programmer*
5) remove the options then recompile the ssh client. This works until
a user installes their own unpatched copy of the ssh client.
Thank you.
Regards,
--
Jason Muskat | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. [EMAIL PROTECTED]
m. 416 .414 .9934
http://TechDude.Ca/
On 29-Mar-07, at 6:37 PM, Bartick, Brett wrote:
Thanks for writing back, but I think you misunderstood my question.
On the system running the sshd daemon, sshd_config is setup to display
the banner. What I'm looking for is the following.
1. If I issue the command "ssh -q <hostname>", I still want our legal
banner to be displayed.
2. If I issue the command ssh -o loglevel=quiet", I still want our
legal
banner to be displayed.
The banner will not be displayed if you issue the commands above. I
always want to display the banner if the user is in interactive mode
(login shell). But if the user was in non-interactive mode, I would
want
the above commands to operate as they currently do.
Brett Bartick
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Jason Muskat, GCFA, GCUX, de VE3TSJ
Sent: Thursday, March 29, 2007 3:04 AM
To: Bartick, Brett
Cc: [email protected]
Subject: Re: Can I prevent the ssh client from silencing banner in
interactive mode?
Hello,
SSH does have 'banner'. This is a pre login (pre-authentication
banner) message.
Example:
Banner /etc/issue.net
The contents of /etc/issue.net will be sent to the client upon connect
and before entering a password.
SSH also has 'PrintMotd'. This is a post login "message of the day"
(post-authentication banner) message. The file's location is system
dependent and is often located at /etc/motd.
Example:
PrintMotd yes
The contents of MOTD will be sent to the client after successfully
logging in before running the users shell.
Also, nothing is stopping an Admin from editing the "/etc/
profile" (or
whatnot) file adding in banner as well (echo statements).
One cannot control the client software. Don't try to. Control what
you can, the server. Using the three banners as above shows that
every effort to display a banner was made.
Regards,
--
Jason Muskat | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. [EMAIL PROTECTED]
m. 416 .414 .9934
http://TechDude.Ca/
On 23-Mar-07, at 2:07 PM, Bartick, Brett wrote:
In today's world of legal MumboJumbo and Sarbanes-Oxley, I like to
know
if it's possible to always display the banner when one connects in an
interactive mode and prevent the '-q' option or Loglevel quite in the
config file from being enforced? Basically, we'd like to always
display
a legal banner when one connects interactively to our systems.
OS: Solaris 2.8
SSH version: OpenSSH_4.5p1, OpenSSL 0.9.7m 23 Feb 2007
Regards,
Brett
PLEASE READ: This message is for the named person's use only. It
may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by
any mistransmission. If you receive this message in error, please
delete it and all copies from your system, destroy any hard copies
and notify the sender. You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if
you are not the intended recipient. Nomura Holding America Inc.,
Nomura Securities International, Inc, and their respective
subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this
message are those of the individual sender, except where the
message states otherwise and the sender is authorized to state the
views of such entity. Unless otherwise stated, any pricing
information in this message is indicative only, is subject to
change and does not constitute an offer to deal at any price
quoted. Any reference to the terms of executed transactions should
be treated as preliminary only and subject to our formal written
confirmation.
PLEASE READ: This message is for the named person's use only. It
may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by
any mistransmission. If you receive this message in error, please
delete it and all copies from your system, destroy any hard copies
and notify the sender. You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if
you are not the intended recipient. Nomura Holding America Inc.,
Nomura Securities International, Inc, and their respective
subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this
message are those of the individual sender, except where the
message states otherwise and the sender is authorized to state the
views of such entity. Unless otherwise stated, any pricing
information in this message is indicative only, is subject to
change and does not constitute an offer to deal at any price
quoted. Any reference to the terms of executed transactions should
be treated as preliminary only and subject to our formal written
confirmation.
