Banner message for ssh

Using a pre-authentication banner with ssh can verify identification before a password is entered. This can help prevent leaking passwords. Banners are simple to configure but often disabled in the default configuration.

I have configured a number of Linux hosts, running Debian/Ubuntu and OpenWrt distributions.

The banner message is contained in an “/etc/issue.ssh” file. This is not a standard file name, so distribution updates won’t try to replace it. The following is a sample format containing an example hostname. Customize the format as needed.

************************************************

  host.example.com - Authorized use only
  Access attempts are logged and monitored

************************************************

On systems using a configuration subdirectory, add a file like “banner” to the directory like the following.

# Enable banner message before authentication

Banner /etc/issue.ssh

On other systems, edit the sshd configuration file to include the above “Banner” directive.

The Dropbear ssh server has a ‘-b’ option to specify the banner message. OpenWrt’s configuration file is “/etc/config/dropbear” which contains a BannerFile option.

After making the configuration changes restart the ssh service. Then try an ssh connection to the server to verify that the banner is shown.

Users are rarely prompted to accept a host key. If the host is not known, the banner message will not appear until after the host key is accepted. If a connection to an unwanted server is accepted, that host’s keys should be removed from the user’s “known_hosts” file.

NOTE: It is possible for an attacker to configure a server with the appropriate banner. In normal usage, the banner above provides a reasonable verification of the server’s identity.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.