1/26/11

Displaying an SSH Pre-login Banner

Recently, someone expressed difficulty with displaying a pre-login banner on an IOS device when connecting via SSH. Most of us are no doubt familiar with IOS' message of the day (MOTD) banner, which originated in the UNIX world. However, IOS supports several types of banners, which can get confusing:
Router(config)# banner ?
  LINE            c banner-text c, where 'c' is a delimiting character
  exec            Set EXEC process creation banner
  incoming        Set incoming terminal line banner
  login           Set login banner
  motd            Set Message of the Day banner
  prompt-timeout  Set Message for login authentication timeout
  slip-ppp        Set Message for SLIP/PPP
The IOS documentation provides a bit of detail on each of the different types, but the two types we're most concerned with are the login and exec banners. The MOTD banner is in fact not an ideal banner to use as it is not displayed consistently for both Telnet and SSH connections:
Banner Telnet SSHv1 SSHv2
motd Displayed before login Displayed after login Displayed after login
login Displayed before login Not displayed Displayed before login
exec Displayed after login Displayed after login Displayed after login
Typically, you'll want to define at least a login banner, to provide the de facto yet tautological "unauthorized use is unauthorized" warning. An exec banner can additionally be defined to provide potentially sensitive information only after a user has authenticated.
banner exec ^C
You have logged in to $(hostname).$(domain).
^C
banner login ^C
###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

^C
This will result in the same behavior whether logging in via Telnet or SSHv2:
stretch@Sandbox ~ $ telnet 192.168.10.1
Trying 192.168.10.1...
Connected to 192.168.10.1.
Escape character is '^]'.

###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

User Access Verification

Username: stretch
Password:

You have logged in to Demarc.home.

Demarc# quit
Connection closed by foreign host.
stretch@Sandbox ~ $ ssh stretch@192.168.10.1

###############################################################
#                                                             #
#  THIS SYSTEM IS PROVIDED FOR USE BY AUTHORIZED USERS ONLY.  #
#                                                             #
###############################################################

Password:

You have logged in to Demarc.home.

Demarc#
at

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...

  • AIX Security Checklist
    AIX Environment Procedures The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the server...
  • How to Change JKS KeyStore Private Key Password
    Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...