Displaying an SSH Pre-login Banner

By stretch | Tuesday, May 25, 2010 at 2:00 p.m. UTC

Recently, someone expressed difficulty with displaying a pre-login banner on an IOS device when connecting via SSH. Most of us are no doubt familiar with IOS' message of the day (MOTD) banner, which originated in the UNIX world. However, IOS supports several types of banners, which can get confusing:

Router(config)# banner ?
  LINE            c banner-text c, where 'c' is a delimiting character
  exec            Set EXEC process creation banner
  incoming        Set incoming terminal line banner
  login           Set login banner
  motd            Set Message of the Day banner
  prompt-timeout  Set Message for login authentication timeout
  slip-ppp        Set Message for SLIP/PPP

The IOS documentation provides a bit of detail on each of the different types, but the two types we're most concerned with are the login and exec banners. The MOTD banner is in fact not an ideal banner to use as it is not displayed consistently for both Telnet and SSH connections:

BannerTelnetSSHv1SSHv2
motdDisplayed before loginDisplayed after loginDisplayed after login
loginDisplayed before loginNot displayedDisplayed before login
execDisplayed after loginDisplayed after loginDisplayed after login

Typically, you'll want to define at least a login banner, to provide the de facto yet tautological "unauthorized use is unauthorized" warning. An exec banner can additionally be defined to provide potentially sensitive information only after a user has authenticated.

banner exec ^C
You have logged in to $(hostname).$(domain).
^C
banner login ^C
###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

^C

This will result in the same behavior whether logging in via Telnet or SSHv2:

stretch@Sandbox ~ $ telnet 192.168.10.1
Trying 192.168.10.1...
Connected to 192.168.10.1.
Escape character is '^]'.

###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

User Access Verification

Username: stretch
Password:

You have logged in to Demarc.home.

Demarc# quit
Connection closed by foreign host.
stretch@Sandbox ~ $ ssh stretch@192.168.10.1

###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

Password:

You have logged in to Demarc.home.

Demarc#

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Remote Access

Comments


JC.Bogard (guest)
May 25, 2010 at 10:52 p.m. UTC

Thanks for the reminder... Saved to my iPad for when I forget again...

JCB


A guest
May 26, 2010 at 12:09 a.m. UTC

It's useful article, thanks!


Bobfromfpl
September 29, 2010 at 7:53 p.m. UTC

This issue came up today for me at work.

Using Putty doesn't display login banner since it doesn't transmit the username.

Good explanation from links stretch posted

http://www.ciscostadium.org/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml#banners

Comments have closed for this article due to its age.