Displaying an SSH Pre-login Banner
Recently, someone expressed difficulty with displaying a pre-login banner on an IOS device when connecting via SSH. Most of us are no doubt familiar with IOS' message of the day (MOTD) banner, which originated in the UNIX world. However, IOS supports several types of banners, which can get confusing:
Router(config)# banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP
The IOS documentation provides a bit of detail on each of the different types, but the two types we're most concerned with are the login and exec banners. The MOTD banner is in fact not an ideal banner to use as it is not displayed consistently for both Telnet and SSH connections:
| Banner | Telnet | SSHv1 | SSHv2 |
| motd | Displayed before login | Displayed after login | Displayed after login |
| login | Displayed before login | Not displayed | Displayed before login |
| exec | Displayed after login | Displayed after login | Displayed after login |
Typically, you'll want to define at least a login banner, to provide the de facto yet tautological "unauthorized use is unauthorized" warning. An exec banner can additionally be defined to provide potentially sensitive information only after a user has authenticated.
banner exec ^C You have logged in to $(hostname).$(domain). ^C banner login ^C ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### ^C
This will result in the same behavior whether logging in via Telnet or SSHv2:
stretch@Sandbox ~ $ telnet 192.168.10.1 Trying 192.168.10.1... Connected to 192.168.10.1. Escape character is '^]'. ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### User Access Verification Username: stretch Password: You have logged in to Demarc.home. Demarc# quit Connection closed by foreign host. stretch@Sandbox ~ $ ssh stretch@192.168.10.1 ############################################################### # # # THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY. # # # ############################################################### Password: You have logged in to Demarc.home. Demarc#
About the Author
Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.
Comments
It's useful article, thanks!
This issue came up today for me at work.
Using Putty doesn't display login banner since it doesn't transmit the username.
Good explanation from links stretch posted
http://www.ciscostadium.org/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml#banners
Thanks for the reminder... Saved to my iPad for when I forget again...
JCB