1

I work with a farm of solaris 10 servers with some inconsistent behaviors in terms of displaying banners/motd.

This time, I am trying to do scp from one server to another. Between some servers I get no banner, and some I do.

I have already tried:

  • creating .hushlogin file
  • scp -q
  • scp -o LogLevel=Error
  • PrintMotd no in /etc/ssh/sshd_config
  • LogLevel QUIET in /etc/ssh/ssh_config

I am already not getting banners when using ssh, but the banner with scp still persists in some servers, and I'd like to find a way to turn it off.

I haven't got admin rights but can make requests for changes to specific configs.

scp session sample:

usera@server20$ scp a.sh server43:/tmp
###################################################################
# This system is for the use of authorized users only.            #
# Individuals using this computer system without authority, or in #
# excess of their authority, are subject to having all of their   #
# activities on this system monitored and recorded by system      #
# personnel.                                                      #
#                                                                 #
# Anyone using this system expressly consents to such monitoring  #
# and is advised that if such monitoring reveals possible         #
# evidence of criminal activity, system personnel may provide the #
# evidence of such monitoring to law enforcement officials.       #
###################################################################

WARNING: Access to this computer system is limited to authorised users only.
Unauthorised users may be subject to prosecution under the Crimes
Act or State legislation.

a.sh                 100% |***********************************************************************************************************|   602       00:00
usera@server20$

ssh session sample from a server in the farm:

usera@server20$  ssh server43
LI002: usera is allowed 2 concurrent logins
Last login: Tue Jun 16 2015 17:30:05 from pts/2
server43:usera>

ssh session sample from outside the farm:

login as: usera
###################################################################
# This system is for the use of authorized users only.            #
# Individuals using this computer system without authority, or in #
# excess of their authority, are subject to having all of their   #
# activities on this system monitored and recorded by system      #
# personnel.                                                      #
#                                                                 #
# Anyone using this system expressly consents to such monitoring  #
# and is advised that if such monitoring reveals possible         #
# evidence of criminal activity, system personnel may provide the #
# evidence of such monitoring to law enforcement officials.       #
###################################################################

WARNING: Access to this computer system is limited to authorised users only.
Unauthorised users may be subject to prosecution under the Crimes
Act or State legislation.

Using keyboard-interactive authentication.
Password:
LI002: usera is allowed 2 concurrent logins
Last login: Tue Jun 16 2015 18:40:41 from pts/1
server43:usera>
user55570
  • 458
  • 6
  • 18

2 Answers2

0

You've indicated that this SSH server is also doing regular SSH shell sessions as well as your desired sftp approach. Also, the following answer applies toward the oldest OpenSSH version possible: v4.0.0p1 (except otherwise where noted). This answer applies toward latest Solaris 10 and 11 for they use OpenSSH v6.6p1,REV=2014.03.20

My solution offers both regular SSH as well as scp/sftp.

Settings

The trick is to use the Match User sftp in the SSH server config with a couple of settings:

  • Banner
  • PrintMotd

Banner

Banner setting is the filename whose contents of the specified file are sent to the remote user before authentication is allowed. If the argument is none then no banner is displayed. By default, no banner is displayed.

Base on the OP, you probably had Banner yes somewhere in your file, and that is ok for we can restrict that behavior without modifying that config line (more on this later).

PrintMotd

PrintMotd specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is yes.

You probably did not have PrintMotd <anything> in your sshd_config config file so the default is to always display the Message Of The Day.

Setting Block

To fix your issue, let us assume that the username for this SFTP/SCP activity is sftp.

The setting block to paste and use for making any and all sftp user NOT see any banner nor any message-of-the-day (MotD) are:

Match User sftp
    Banner none
    PrintMotd no

Placement of Settings

Our above setting block may go into one of the following filename:

  • /etc/ssh/sshd_config (older distros using OpenSSH v7.3 or before, and up to macOS 12 Monterey version)
  • /etc/ssh/sshd_config.d/900-custom-match-sftp.conf (since OpenSSH v7.3 after year 2016)

RARE: While not very likely (unless the system admin is complex or its a corporate environment), these above Match user sftp setting block must be placed and read before any Match all, Match canonical, or Match final block.

NOTE: Multi-file SSH server config loads its /etc/ssh/sshd_config.d in ASCII order. In multi-file config approach, it is common to use 2 or 3-digit number as a starting filename to ensure its proper read ordering. Our Match user setting block needs to be placed before any Match all, Match canonical, or Match final, so our number would be before their 970-* or 97-* assuming that 9[7-9]-* and 9[7-9][0-9]-* are taken by other canonical/final/all setting blocks.

Reload/Restart SSH Server

Then reload/restart the SSH server.

The next scp or sftp login attempt will no longer show any banner or message of the day.

John Greene
  • 899
  • 10
  • 30
-1

Did you try this option: -o LogLevel=quiet

majdibs
  • 1