Displaying an SSH Pre-login Banner
By stretch | Tuesday, May 25, 2010 at 2:00 p.m. UTC
Recently, someone expressed difficulty with displaying a pre-login banner on an IOS device when connecting via SSH. Most of us are no doubt familiar with IOS' message of the day (MOTD) banner, which originated in the UNIX world. However, IOS supports several types of banners, which can get confusing:
Router(config)# banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP
The IOS documentation provides a bit of detail on each of the different types, but the two types we're most concerned with are the login and exec banners. The MOTD banner is in fact not an ideal banner to use as it is not displayed consistently for both Telnet and SSH connections:
Banner | Telnet | SSHv1 | SSHv2 |
motd | Displayed before login | Displayed after login | Displayed after login |
login | Displayed before login | Not displayed | Displayed before login |
exec | Displayed after login | Displayed after login | Displayed after login |
Typically, you'll want to define at least a login banner, to provide the de facto yet tautological "unauthorized use is unauthorized" warning. An exec banner can additionally be defined to provide potentially sensitive information only after a user has authenticated.
banner exec ^C You have logged in to $(hostname).$(domain). ^C banner login ^C ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### ^C
This will result in the same behavior whether logging in via Telnet or SSHv2:
stretch@Sandbox ~ $ telnet 192.168.10.1 Trying 192.168.10.1... Connected to 192.168.10.1. Escape character is '^]'. ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### User Access Verification Username: stretch Password: You have logged in to Demarc.home. Demarc# quit Connection closed by foreign host. stretch@Sandbox ~ $ ssh stretch@192.168.10.1 ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### Password: You have logged in to Demarc.home. Demarc#
Posted in Remote Access
Comments
May 25, 2010 at 10:52 p.m. UTC
Thanks for the reminder... Saved to my iPad for when I forget again...
JCB
May 26, 2010 at 12:09 a.m. UTC
It's useful article, thanks!
September 29, 2010 at 7:53 p.m. UTC
This issue came up today for me at work.
Using Putty doesn't display login banner since it doesn't transmit the username.
Good explanation from links stretch posted
http://www.ciscostadium.org/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml#banners