Template Version: @(#)onepager.txt 1.30 06/09/28 SMI 1. Introduction 1.1. Project/Component Working Name: New DisableBanner option in SunSSH 1.2. Name of Document Author/Supplier: Jan Pechanec 1.3. Date of This Document: 01/16/07 1.4. Name of Major Document Customer(s)/Consumer(s): 1.4.2. The ARC(s) you expect to review your project: PSARC 1.4.4. The name of your business unit: Security 1.5. Email Aliases: 1.5.1. Responsible Manager: Craig.Payne@Sun.COM 1.5.2. Responsible Engineer: Jan.Pechanec@Sun.COM 1.5.3. Marketing Manager: Mark.Thacker@Sun.COM 1.5.4. Interest List: ssh-iteam@Sun.COM 2. Project Summary 2.1. Project Description: In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection. Many UNIX machines, for example, normally display text from /etc/issue, use TCP wrappers, or similar software to display a banner before issuing a login prompt. However, there is a clear difference between first time users logging in and (possibly) subsequent logins running SSH in remote command-only mode, for example using a quick search and run of a regular command from the shell history. In some scenarios, internal network for example, displaying a banner anytime might be even annoying while having it configured for connections from outside might still be a mandatory part of the security strategy. We already have a possibility to hush banner message when specifying '-q' option for quiet client operation but this will hush other warning messages as well. SSH Authentication Protocol (RFC 4252) permits the client side not to display a banner message (section "5.4 Banner Message) so what we propose here is an option to disable a banner message completely and also a way to disable it only for SSH remote command-only mode (SSH Connection Protocol - RFC 4254, section "6.5 Starting a Shell or a Command", specifing SSH_MSG_CHANNEL_REQUEST packet with "exec" request). SSH protocol specification doesn't specify that server should be the one to selectively decide whether to send a banner or not. This proposal is about SSH protocol 2.0 only, earlier versions of the protocol don't support displaying banner message at all. 2.2. Risks and Assumptions: None. 3. Business Summary 3.1. Problem Area: Customers want to display a banner message but they want an option to disable it for selected client's configurations. 3.3. Business Justification: Some customers convert from RSH to SSH and they report difficulty in configurations with banner messages in connection with remote command-only exec mode. 3.4. Competitive Analysis: The most often used player is OpenSSH project which doesn't have a proposed option or any other way how to achieve that. 4. Technical Description: 4.1. Details: During the authentication phase, server can send SSH_MSG_USEAUTH_BANNER message before the authentication is over. This project would add a new option keyword and change already existing code dealing with SSH_MSG_USEAUTH_BANNER to display the banner according to the newly added option keyword. The change is easy and straightforward. 4.2. Bug/RFE Number(s): 4972643 wants banner page to display but not when issuing commands 4.5. Interfaces: We propose a new keyword for client side configuration files (ssh_config(5) and ~/.ssh/config files). Interface stability is Committed: DisableBanner the argument could be "yes" or "no" or "in-exec-mode". "no" is the default. With respect to the chosen argument value "in-exec-mode", I directly followed SSH Connection Protocol specification defining "exec" mode as remote command-only mode. This way we can easily extend this if needed in backward compatible way to a comma separated list in the future for existing modes "shell", "subsystem" or any other new modes that might come using generic "in-xyz-mode" template value. However, it's not needed now and I'm not convinced it will be needed in the future so we won't include it in this case. 4.6. Doc Impact: Manual page for ssh_config(5) would be changed. Diff follows: --- ssh_config.0 Tue Jan 16 13:23:28 2007 +++ ssh_config.0.banner Tue Jan 16 14:25:00 2007 @@ -124,14 +124,24 @@ ConnectionAttempts Specifies the number of tries (one per second) to make before falling back to rsh or exiting. The argument must be an integer. This can be useful in scripts if the con- nection sometimes fails. The default is 1. + DisableBanner + + If set to "yes" it disables the display of banner + message. If set to "in-exec-mode" it disables the + display of banner message when in remote command mode + only. Default value is "no" which means that by default + the banner is displayed every time. See also Banner + option in sshd_config(5). This option applies to + protocol version 2 only. + DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel. The application pro- tocol is then used to determine where to connect to from the remote machine. The argument must be a port number. Currently the SOCKS4 protocol is supported, and ssh will 4.7. Admin/Config Impact: None. 4.9. I18N/L10N Impact: None. Banner messages are to be displayed exactly as specified on server side. 4.10. Packaging & Delivery: SUNWsshr, SUNWman 4.11. Security Impact: N/A 4.12. Dependencies: N/A 5. Reference Documents: N/A 6. Resources and Schedule: 6.1. Projected Availability: project inception and integration: 1-2 Q 2007 6.5. ARC review type: FastTrack