The Banner directive available in SSH v2 provides a nice, easy method for displaying login banners that are required in some corporate environments for security policy compliance. However, when writing scripts that connect noninteractively to remote hosts, the banner is still displayed. If these scripts are to be run from crontab, for example, the banner output is mailed to the user since it's treated as error output. If the scripts issuing the remote commands via ssh attempt to supress the banner output by piping stderr to /dev/null, they also eliminate any legitimate error output created by the commands executed on the remote machine. It would be desirable to modify the ssh client to silently discard any banner messages received from the server if in fact the client is executing a noninteractive command on the remote machine. For example, here's an interactive ssh session: catbert$ ssh dilbert *********************************** * This is a restricted host * *********************************** dilbert$ And here's a noninteractive session: catbert$ ssh dilbert /bin/date *********************************** * This is a restricted host * *********************************** Mon Apr 22 16:52:11 AKDT 2002 catbert$ Here's what would be desirable: catbert$ ssh dilbert /bin/date Mon Apr 22 16:52:11 AKDT 2002 catbert$ So, to effect this change, I created the following patchfile. Granted, there may be some installation somewhere that absolutely requires login banners for everything, even noninteractive sessions, but I'm convinced that the number of people in the same boat as myself far outnumber these select few, so maybe the supression of the banners could be the default behavior, and displaying them (for noninteractive sessions) could be a compile-time option. ******************************** --- ssh.c_orig Mon Apr 22 16:18:41 2002 +++ ssh.c Mon Apr 22 16:18:54 2002 @@ -113,6 +113,12 @@ int fork_after_authentication_flag = 0; /* + * Flag to indicate the login banner from the server should not be displayed. + * This is usedful when issuing command on remote hosts noninteractively. + */ +int supress_banner = 0; + +/* * General data structure for command line options and options configurable * in configuration files. See readconf.h. */ @@ -576,6 +582,7 @@ } } else { /* A command has been specified. Store it into the buffer. */ + supress_banner = 1; for (i = 0; i < ac; i++) { if (i) buffer_append(&command, " ", 1); --- sshconnect2.c_orig Mon Apr 22 16:18:50 2002 +++ sshconnect2.c Mon Apr 22 16:18:58 2002 @@ -57,6 +57,7 @@ /* import */ extern char *client_version_string; extern char *server_version_string; +extern int supress_banner; extern Options options; /* @@ -320,7 +321,10 @@ debug3("input_userauth_banner"); msg = packet_get_string(NULL); lang = packet_get_string(NULL); - fprintf(stderr, "%s", msg); + if (supress_banner == 1) + debug3("noninteractive shell; banner supressed."); + else + fprintf(stderr, "%s", msg); xfree(msg); xfree(lang); } ****************************
Please attach your patch to the bug rather than pasting it into the comments field (which corrupts patches).
Created attachment 311 [details] Suppress banner when -q specified (against OpenSBD) What about suppressing the banner when -q is specified? That way it's on by default but you can ignore it if you choose (eg in a cron job).
Another thought: printing the banner only if isatty(STDERR)?
should we switch from printf to logit? this way -q will suppress the banner.
Whatever works is fine by me (can't try it right now).
Created attachment 371 [details] Silence banner with -q Very simple patch
Applied (OpenBSD + Portable). - djm@cvs.openbsd.org 2003/08/25 10:33:33 [sshconnect2.c] fprintf->logit to silence login banner with "ssh -q"; ok markus@
Mass change of RESOLVED bugs to CLOSED