SSH – Non-ASCII Printable Characters in SSHD Banner

colorssshunicode

It's possible to configure a banner for sshd that is to be displayed as a connection is opened, via Banner /etc/motd.ssh in sshd_config. Note that this is displayed before the authentication occurs, and even when an interactive shell is not launched (e.g. via scp).

If this banner contains characters outside of the printable ASCII range, they seem to be escaped, however. Is there any way to either disable this escaping, or an alternative way to send textual output back to the client on connection which supports such characters outside of the printable-ASCII range?

This would be useful both for colour escape sequences and Unicode characters.

  • Related: Colorful ssh banner (not a duplicate, however, as this question is about another kind of banner, not about color)

Best Answer

Mention #1 - LinuxFromScratch project

One place that it's mentioned is in the Linux From Scratch project. I found this page titled: /etc/issue (Customizing your logon).

excerpt

The /etc/issue file is a plain text file which will also accept certain Escape sequences (see below) in order to insert information about the system. There is also the file issue.net which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will also not interpret the escape sequences shown below.

Mention #2 - SecurityFocus Forum post

As additional evidence that this is not possible there is this excerpt from a forum post titled: Re: ssh and banners Aug 18 2009 01:20PM, that discusses the function that implements the printing of the banner in OpenSSH.

excerpt

After doing some more digging, I found that there is a function in the ssh source (specifically sshconnect2.c) called "input_userauth_banner" that displays the banner from the server. The text of the banner is now being filtered through another function called "strnvis" that encodes non-printable ascii characters as printable text, ie: octal codes. This is why the ansi escape sequence is displayed as "\033[". The documentation for strnvis doesn't mention any security issues, only "unexpected behavior" that could be associated with non-printable characters.

Mention #3 - OpenSSH Release Notes + RFC's

Lastly I encourage you to look through the release notes for OpenSSH. They're here as well as the RFC's that govern the SSH v1 & v2 specifications.

This RFC covers some of the behavior of the Banner feature. This section "5.4. Banner Message" covers the details of why this isn't allowed. This paragraph is where is says this is explicitly disallowed.

excerpt

If the 'message' string is displayed, control character filtering, discussed in [SSH-ARCH], SHOULD be used to avoid attacks by sending terminal control characters.

Additional references (per @hildred)

Related Question