[SOLVED] How to setup Pre-Login banner on OpenWrt?

I know that openwrt already has welcome banner that appears after successful logged in of the user. I am referring to a banner that give's warning message to the users who try to access ssh on my openwrt box.

I am not sure if that is possible but I may be wrong. You can always limit the ssh functionality so noone else can snoop through. You may need to go through the documentation for that.

/etc/config/dropbear can take an option BannerFile '/path/to/text.txt', but it will be displayed between the username and the password prompt, resulting in something like

login as: root
This is the content of the text file.
root@'s password:

The dropbear man page states this UCI option (which is translated into the -b parameter) should display "before user login", so it seems to be intended behaviour to display the banner text at this particular point.

I would guess to display a text before the username prompt you would have to patch and compile dropbear yourself.

You mean a PRE-login message.

I'm not understanding why this would be needed... SSH should only be allowed with PKI, and password logins should be disallowed (especially, and always for, root).

  • Provided you utilize a 2048RSA or ED25519 key, it's fundamentally, literally, impossible for the PKI encryption to be cracked. All SSH private keys should be protected with a complex password of at least 16 characters, containing 2 each of lowercase, uppercase, numbers, and symbols.

  • If you're allowing WAN access to SSH, the WAN side port should be an extremely high port that's not on a port scanner list, such as this one. Port scanners will rarely scan all 65,535 ports, and IP tables rules can be added to block connections after a certain amount has been attempted.

I personally recommend to everyone I speak with to buy a YubiKey (I prefer the Nano), as you can store a multitude of different keys on it at the same time (SSH, GPG, X509 certs, 2FA, etc).

  • Provided you have a device with >16MB of ROM, you can utilize OpenSSH, of which supports PAM. OpenSSH is large compared to DropBear, as you must install the client package as well in order to gain SCP support, however OpenSSH is vastly more configurable than DropBear.

Can OpenSSH be configured through ExtRoot? I mean I know we can install packages there but do we really need to install it in the ROM?

All packages can be configured through extroot, however it should only be used as a last resort since USB flash based media likely has slower throughput than the ROM.

1 Like

Yes lleachii Pre-login welcome message. It's done.
Thanks takimata and all you guys for the info.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.