Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed (if you are using latest version of Linux/UNIX then you do not have to worry about version issue).
Procedure to change OpenSSH pre login banner
1) By default sshd server turns off this feature.
2) Login as the root user; create your login banner file:
# vi /etc/ssh/sshd-banner
Append text:
Welcome to nixCraft Remote Login!
3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:
# vi /etc/sshd/sshd_config
4) Add/edit the following line:
Banner /etc/ssh/sshd-banner
5) Save file and restart the sshd server:
# /etc/init.d/sshd restart
6) Test your new banner (from Linux or UNIX workstation or use any other ssh client):
$ ssh vivek@rh3es.nixcraft.org
Output:
Welcome to nixCraft Labs!
vivek@ rh3es.nixcraft.org's password:
Please note that this feature may not work with third party ssh client such as Putty.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- My 10 UNIX Command Line Mistakes
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
Facebook it - Tweet it - Print it -
We're here to help you make the most of sysadmin work. So, subscribe!
{ 15 comments… read them below or add one }
if I telnet to ssh I still can read the version.
so, what’s this for?
If you want any credibility in court in case of unauthorized access, never say “welcome” on your banner. Your message should be along the lines of “you will suffer legal actions against you if you continue. Go away!”. I guess you can do whatever you want in /etc/motd.
But message in /etc/motd is displayed after login. If I use nc -vv I can still see version of ssh. so, what’s this for?
Great article. This site has easily become my main source in teaching myself GNU/Linux beyond the GUI.
Using Ubuntu 8.10 x64, sshd-banner was over-ridden by motd (per Pavel), so I used that file instead.
I agree w/ Alexandre… my motd states activity is logged & may be forwarded to law enforcement & citing parts of the local penal code.
I think step 3 has a typo:
/etc/sshd/sshd_config
At least on Red Hat 5 and Solaris 10, sshd_config is in /etc/ssh, not /etc/sshd.
You are right Daniel it is a typo.
sshd_config is in /etc/ssh – in Ubuntu Server too.
Forgot to say nice tip nevertheless. Thank you!
However: “ssh -q {login}@{server}” avoid the message.
You shouldn’t use /etc/motd for your legal warning, that is what /etc/issue and /etc/issue.net is for.
/etc/motd should come AFTER you login. /etc/motd is for system announcements and other impartant info that you want authenticated users to know about before they start to actaully use the system. /etc/issue* is for legal warnings to establish the terms and conditions by which someone is allowed to use the system.
This is a decent /etc/issue file:
—————————————————————————————————–
This is a private system.
Only authorized users may access this system with their individually
assigned user accounts. Sharing account information with anyone is prohibited.
All access to this system and all traffic to and from it may be monitored
by the system owner.
—————————————————————————————————–
After looking at issue.net this is the same as issue but for telnet sessions. How do you do the same thing but for SSH sessions?
Thanks.
In Solaris, for SSH you edit /etc/ssh/sshd_config:
Banner=/etc/issue
and put the pre-login message there.
I like this
—————————————————————————–
This computer system is for authorized users only. Individuals using this
system without authority or in excess of their authority are subject to
having all their activities on this system monitored and recorded or examined
by any authorized person, including law enforcement, as system personnel deem
appropriate. In the course of monitoring individuals improperly using the
system or in the course of system maintenance, the activities of authorized
users may also be monitored and recorded. Any material so recorded may be
disclosed as appropriate. Anyone using this system consents to these terms.
—————————————————————————–
Used this personally:
This computer system is the private property of its owner, whether
individual, corporate or government. It is for AUTHORIZED USE only.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate.
By continuing to use this system you indicate your awareness of and consent
to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this warning.
This does not work for RHEL 5.x, 6.x, Fedora 11 or later, or even CentOS 5.x, 6.x. PuTTY .6x seems to ignore any banner before login. Using /etc/issue.net is USELESS for legal purposes because it is displayed after login id is entered. And /etc/motd is USELESS because login is already completed. Last, pam_echo.so should enforce this no matter what the SSH client does, but appears to only work on the actual console virtual terminals, not SSH sessions via PuTTY.
Here is a crazy thought: before you declare something useless, try actually reading the article. It works on all of the RHEL 5 and 6 and Solaris 10 servers I administer.
Also, note the title of the article. Does it mention telnet or PAM or the local console? No, it doesn’t. It only concerns login banners for logins over SSH. Don’t piss on an article someone contributed just because it doesn’t cover everything you might want to do.
To those who are coming up with their own banners: if you are doing this for a large organization or government entity, get advise from the legal team or upper management about what to put in. Every place may have different requirements.
Thanks again to the original contributors — it’s nice to have all of these basic tips in one place.