R. P. Channing Rodgers, M.D.
2002-May-01 20:02 UTC
Using openssh 3.1p1 on Solaris with tcp wrappers 7.6
Dear Open SSH and TCP Wrappers Colleagues, We are trying to use open ssh 3.1p1 on SPARC platforms under Solaris 2.8 using gcc 2.95.2, in conjunction with tcp wrappers 7.6 (IPv6 version). The wrapping of open ssh is not too well documented but I think we have figured most of this out (hearty thanks to Wietse Venema, Jim Mintha & Niels Provos for their helpful email exchanges) -- but have one final question. Tcp wrappers can send out banner messages in response to various network service requests. The Banners.makefile that is used to create the various banner files from a prototype (inserting any special content that a particular service protocol such as ftp might require) does contain this comment: # Other services: banners may interfere with normal operation # so they should probably be used only when refusing service. # In particular, banners don't work with standard rsh daemons. # You would have to use an rshd that has built-in tcp wrapper # support, for example the rshd that is part of the logdaemon # utilities. And there is no target to create a sshd banner. Is there a mechanism in open ssh, when using tcp wrappers, to support a banner? Thanks in advance for any helpful insights. We would be happy to share our installation instructions for both systems and welcome comments about the most efficient way in which we might do so. Cheerio, Rick Rodgers
What is wrong with the native 'Banner' option within OpenSSH? V2 protocol allows a banner to be presented. - Ben On Wed, 1 May 2002, R. P. Channing Rodgers, M.D. wrote:> > Dear Open SSH and TCP Wrappers Colleagues, > > We are trying to use open ssh 3.1p1 on SPARC platforms > under Solaris 2.8 using gcc 2.95.2, in conjunction with > tcp wrappers 7.6 (IPv6 version). The wrapping of open ssh > is not too well documented but I think we have figured > most of this out (hearty thanks to Wietse Venema, Jim > Mintha & Niels Provos for their helpful email exchanges) -- > but have one final question. Tcp wrappers can send out > banner messages in response to various network service > requests. The Banners.makefile that is used to create > the various banner files from a prototype (inserting any > special content that a particular service protocol such > as ftp might require) does contain this comment: > > # Other services: banners may interfere with normal operation > # so they should probably be used only when refusing service. > # In particular, banners don't work with standard rsh daemons. > # You would have to use an rshd that has built-in tcp wrapper > # support, for example the rshd that is part of the logdaemon > # utilities. > > And there is no target to create a sshd banner. Is there > a mechanism in open ssh, when using tcp wrappers, to > support a banner? Thanks in advance for any helpful > insights. > > We would be happy to share our installation instructions > for both systems and welcome comments about the most > efficient way in which we might do so. > > Cheerio, Rick Rodgers > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
There is no official mechanism for sending SSH banners that I am aware of. I once did a little hack in the SSH client to allow for additional text, newline terminated, that is sent prior to the SSH server version string. The banner would of course break generic clients. Wietse R. P. Channing Rodgers, M.D.:> > Dear Open SSH and TCP Wrappers Colleagues, > > We are trying to use open ssh 3.1p1 on SPARC platforms > under Solaris 2.8 using gcc 2.95.2, in conjunction with > tcp wrappers 7.6 (IPv6 version). The wrapping of open ssh > is not too well documented but I think we have figured > most of this out (hearty thanks to Wietse Venema, Jim > Mintha & Niels Provos for their helpful email exchanges) -- > but have one final question. Tcp wrappers can send out > banner messages in response to various network service > requests. The Banners.makefile that is used to create > the various banner files from a prototype (inserting any > special content that a particular service protocol such > as ftp might require) does contain this comment: > > # Other services: banners may interfere with normal operation > # so they should probably be used only when refusing service. > # In particular, banners don't work with standard rsh daemons. > # You would have to use an rshd that has built-in tcp wrapper > # support, for example the rshd that is part of the logdaemon > # utilities. > > And there is no target to create a sshd banner. Is there > a mechanism in open ssh, when using tcp wrappers, to > support a banner? Thanks in advance for any helpful > insights. > > We would be happy to share our installation instructions > for both systems and welcome comments about the most > efficient way in which we might do so. > > Cheerio, Rick Rodgers >
I suspect you answers are in reference to version 1 of the protocol, since v2 has solutions for both of the things you raise.>There is no official mechanism for sending SSH banners that I am >aware of.draft-ietf-secsh-userauth-15.txt Section 2.5>I once did a little hack in the SSH client to allow for additional >text, newline terminated, that is sent prior to the SSH server >version string. The banner would of course break generic clients.draft-ietf-secsh-transport-14.txt Section 3.2 The server MAY send other lines of data before sending the version string. Each line SHOULD be terminated by a carriage return and newline. Such lines MUST NOT begin with "SSH-", and SHOULD be encoded in ISO-10646 UTF-8 [RFC2279] (language is not specified). Clients MUST be able to process such lines; they MAY be silently ignored, or MAY be displayed to the client user; if they are displayed, control character filtering discussed in [SSH-ARCH] SHOULD be used. The primary use of this feature is to allow TCP-wrappers to display an error message before disconnecting. -- Darren J Moffat
Cool. Wietse Darren Moffat:> I suspect you answers are in reference to version 1 of the protocol, > since v2 has solutions for both of the things you raise. > > >There is no official mechanism for sending SSH banners that I am > >aware of. > > draft-ietf-secsh-userauth-15.txt Section 2.5 > > >I once did a little hack in the SSH client to allow for additional > >text, newline terminated, that is sent prior to the SSH server > >version string. The banner would of course break generic clients. > > draft-ietf-secsh-transport-14.txt Section 3.2 > > The server MAY send other lines of data before sending the version > string. Each line SHOULD be terminated by a carriage return and > newline. Such lines MUST NOT begin with "SSH-", and SHOULD be > encoded in ISO-10646 UTF-8 [RFC2279] (language is not specified). > Clients MUST be able to process such lines; they MAY be silently > ignored, or MAY be displayed to the client user; if they are > displayed, control character filtering discussed in [SSH-ARCH] SHOULD > be used. The primary use of this feature is to allow TCP-wrappers to > display an error message before disconnecting. > > > > -- > Darren J Moffat > >