A problem can arise when you are trying to connect from behind a NAT router using OpenSSH. During session setup, after the password has been given, OpenSSH sets the TOS (type of service) field in the IP datagram. Some routers are known to choke on this. The effect is that your session hangs indefinitely after you gave your password. Here is the example output from such an ssh session:
user@localhost:~$ ssh -vvv {user-name}@cvs.savannah.gnu.org
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
[...]
Enter passphrase for key '{homedir}/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
[...]
debug2: fd 5 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
and from here on the session hangs.
The fix is to make ssh send all its traffic via netcat, because netcat
won't set the TOS field. For this to work, you need to have netcat
installed. You can test this by entering at the command line:
user@localhost:~$ which nc
and if you get a path back, like:
/bin/nc
then you probably have netcat installed. For the very cautious, you
could also issue:
user@localhost:~$ nc -h
and look at the upcoming help text. If you don't have netcat, you can
find it at http://netcat.sourceforge.net/. You may also want to try
the packaging system which comes with your operating system
distribution.
Once you found that you have netcat installed, issue the following
command to test whether the netcat route solves your problem:
ssh -o "ProxyCommand nc %h %p" {user-name}@cvs.savannah.gnu.org
where {user-name} is your savannah login name. For a successfull
login, you should get an output similar to this (with no hanging, i.e.
you get a prompt afterwards):
user@localhost:~$ ssh -o "ProxyCommand nc %h %p" {user-name}@cvs.savannah.gnu.org
Enter passphrase for key '{home-dir}/.ssh/id_rsa':
Last login: {datetime} from {ip-adr}
You tried to execute:
Sorry, you are not allowed to execute that command.
Connection to cvs.savannah.gnu.org closed.
user@localhost:~$
If you find that your login works via the netcat route, then you can
make it permanent by adding a directive to the ssh config file
~/.ssh/config (or, if that file doesn't exist, create it):
ProxyCommand nc %h %p
Here's an example ssh config file in a user's home folder
(/home/user/.ssh/config):
# This is the ssh client user configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# this user, and the values can be changed on the command line.
#
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
#
# Directive to overcome TOS issue with our NAT router. During session setup,
# OpenSSH sets the TOS (type of service) field after the user has submitted
# the password. Some routers are known to choke on this, with the result
# that the session hangs during buildup. As workaround we send our traffic
# via netcat which doesn't set the TOS field.
ProxyCommand nc %h %p
It's advisable to put the comments as well, otherwise six months later you may find yourself wondering what that directive is all about??
You could also add this directive to your global ssh config file (/etc/ssh/ssh_config), but this change would be system wide, and not all users on your system may appreciate that change.
Best Answer
This is not a banner, but a MOTD (Message of the Day). It is generated by PAM dynamically and the static part can be simply appended as noted in the
/etc/pam.d/sshd:The dynamic part is generated from the
/etc/update-motd.d/to/run/motd.dynamicby thepam_motd.somodule.