OpenWRT banner nicely shows when I login from a remote PC terminal with:
ssh root@openwrt_IP.
My OpenWRT is release 23.05.0, I have installed OpenSSH, disabled Dropbear, and allow my PC to use Public Key Authentication.
Now, to use OpenWRT as an SSH Tunnel (Socks) server, I receive no banner or info from OpenWRT when I type in my remote PC terminal:
ssh root@openwrt_IP -N -D localhost:1080
There is silense in the PC terminal while the SSH Tunnel is working fine.
Is there a way to send some banner (preferably minimal info on OpenWRT release, etc.) from OpenWRT to a remote PC terminal which successfully logs in using the command:
ssh root@openwrt_IP -N -D localhost:1080
Thank you for your comment. But as I mentioned, I have installed OpenSSH and disabled Dropbear. So, I am really looking for a solution for OpenSSH and OpenSSH does not support the "-b banner" option.
OpenSSH looks at the config file /etc/ssh/sshd_config. That config file allows a line as "Banner /etc/banner".
(After any update in that config file, one has to run the command /etc/init.d/sshd restart).
I tried the addition of the line "Banner /etc/banner" to the config file. The result was that the standard OpenWRT banner is showing when I run the command:
ssh root@openwrt_IP -N -D localhost:1080
which could be accepted as what I am looking for.
The pitfall is that the standard OpenWRT banner would show twice when this command is run for normal router access:
ssh root@openwrt_IP
That is not the end of the world, but it is not nice! So, what is going on here?
Just to be clear, Dropbear does key-based authentication and tunneling as well. Not sure if you switched for preference or functionality, so I wanted to make note.
Thanks again for replying. But, I am not sure what I should do.
So, let's go back to the beginning.
Assume I have not touched anything about 'banner' in /etc/ssh/sshd_config.
My OpenWRT is release 23.05.0, I have installed OpenSSH, disabled Dropbear, and allow my PC to use Public Key Authentication.
OpenWRT banner nicely shows when I login from a remote PC terminal with: ssh root@openwrt_IP
No banner is showing when I type in my remote PC terminal: ssh root@openwrt_IP -N -D localhost:1080
There is silence in the PC terminal while the SSH Tunnel is working fine and OpenWRT is acting as an SSH Tunnel (Socks) server.
How can I make OpenWRT to send at least some minimal banner to the PC terminal in number 4 above while the story in number 3 stays the same or does not change to something illogical.
You mentioned that sshd shows banners as part of the login protocol. Is that login protocol anywhere reachable by a normal user and how should it be changed?
Banner The contents of the specified file are sent to the remote
user before authentication is allowed. If the argument is
none then no banner is displayed. By default, no banner is
displayed.
So using Banner the banner is sent to the client before the login prompt is shown. It's up to the client to decide what to do with it, but I assume default behaviour is to show it.
The banner shown by default OpenWrt login is shown by the shell. By using -N no shell is started, and so no banner.
You can get your desired behaviour by using Banner (or -b for dropbear) and remove the banner from /etc/profile.
I think I understand now.
Following your latest post, I did from within OpenWRT prompt:
# Comment out one line so that the shell skips showing the usual banner during default OpenWRT login.
sed -i -E 's:^(.+cat /etc/banner)$:#\1:' /etc/profile
#
# Add a line so that sshd sends the usual OpenWRT banner to the remote user before authentication is allowed.
sed -i -E 's:^(#Banner none):\1\nBanner /etc/banner:' /etc/ssh/sshd_config
/etc/init.d/sshd restart
exit
Things are working fine and I see the OpenWRT banner when running any of these commands: ssh root@openwrt_IP ssh root@openwrt_IP -N -D localhost:1080
I was not sure if Dropbear had the equivalent of this option -D localhost:1080
My router has 32MB flash and enough was left over to install OpenSSH, free ammunition to come handy some day!