ssh banner

mnauta · 10-11-2017, 11:29 AM

Hi,

I have an ssh banner set up, but would like to execute a script to show the incoming IP (just because I can, not for any valid security reason)

However the script works form the cli but not if executed by opening an ssh session here are the details.

/etc/ssh/sshd_config
Banner /usr/local/bin/mysshbanner

from cli I get:
mysshbanner
*******************************************
* *
* Welcome! ..... now leave please! *
* *
You are coming in from 192.168.1.33 port 42120
*******************************************

from starting ssh session I get:

ssh manuel@(removed)
#!/bin/bash
echo "*******************************************"
echo "* *"
echo "* Welcome! ..... now leave please! *"
echo "* *"
if [ -n "$SSH_CLIENT" ]
then
set $SSH_CLIENT
echo "You are coming in from $1 port $2"
fi
echo "*******************************************"
manuel@(removed) password:

Any suggested are appreciated.
Thanks
Manuel

Turbocapitalist · 10-11-2017, 12:35 PM

You could use "ForceCommand" for that. The following probaly works but I have not thought thoroughly about possible pitfalls:

Code:

ForceCommand /usr/local/bin/mysshbanner; sh -c 'if test -n "$SSH_ORIGINAL_COMMAND"; then $SSH_ORIGINAL_COMMAND; else $SHELL; fi'

A different question is whether it is a sound idea.

michaelk · 10-11-2017, 04:35 PM

One way of doing what you want is adding your code to the /etc/bashrc file. This is the system wide bashrc that is executed when any user logs in.

Code:

if [[ -n "$SSH_CONNECTION" ]]
then
   Echo "Welcome ..."
   set $SSH_CLIENT
   echo "You are coming in from $1 port $2"
fi

Either SSH_CLIENT OR SSH_CONNECTION should work.

Turbocapitalist · 10-11-2017, 10:01 PM

Actually, forget what I wrote in #2 above. michaelk's answer prompts me to remember that the manual page for sshd contains a quiet mention of /etc/ssh/sshrc, which is the global equivalent of ~/.ssh/rc.

Code:

man sshd

You can just put the working parts of your script into /etc/ssh/sshrc and it will run upon login with SSH.

lazydog · 10-12-2017, 01:10 PM

I'm watching this thread also as i'm interested in this as well.

The sshrc file works but is only displayed after you have logged in. I too would like to see it displayed with the banner also.

Turbocapitalist · 10-13-2017, 01:43 AM

Quote:

Originally Posted by lazydog

The sshrc file works but is only displayed after you have logged in. I too would like to see it displayed with the banner also.

I think that would require modification of the sshd source to add that new function. Currently it just reads a text file for the banner.

KenJackson · 10-13-2017, 10:19 AM

I do a similar thing. But I just use a common .bashrc file that I copy to every machine I have access to. Modifying it to get what you want would be something like this:

Code:

if [ -n "$SSH_CLIENT" ]; then           # Logged in via SSH
    p=${SSH_CLIENT#* }
    echo "You are coming from ${SSH_CLIENT%% *} port ${p% *}"
    unset p
fi

lazydog · 10-13-2017, 12:32 PM

Quote:

Originally Posted by Turbocapitalist

I think that would require modification of the sshd source to add that new function. Currently it just reads a text file for the banner.

Yeah, that is the conclusion I'm come too also.
Thanks.