39

I am logging into a server which has an ssh banner set. I would like to suppress it (especially for non-interactive use). I do not have access to the server sshd_config.

The best solution I have found so far is to set the LogLevel ERROR option on the client. The problem is that this will suppress any other INFO level messages, which I don't necessarily want to hide (search the OpenSSH source for logit for examples). I could also use ssh -q but that will suppress even more.

Are there any other more specific solutions?

Michael Hoffman
  • 503
  • 1
  • 4
  • 6

3 Answers3

51

AFAIK, "ssh -q" or "LogLevel QUIET" in ~/.ssh/config are the "traditional" ways to silence the banner. So you already have a "better" compromise with "LogLevel ERROR".

A more specific solutions would be to use a custom patched version of the ssh client, if this is an option.

Pascal Thivent
  • 1,495
  • 14
  • 11
  • 2
    I think that `LogLevel ERROR` only suppresses the banner in newer versions of OpenSSH. In older versions, `LogLevel QUIET` or `ssh -q` are required. – Michael Hoffman Oct 06 '09 at 14:41
  • 3
    If `-q` doesn't work (it didn't for me on Debian 7) then you can use a solution from another question: http://serverfault.com/a/764403/62024 – Nux Aug 16 '16 at 10:11
2

You can also use:

Banner none

on 

/etc/ssh/sshd_config
Pedro Lobito
  • 419
  • 1
  • 4
  • 12
  • 2
    The OP specified "I do not have access to the server `sshd_config`", so unfortunately this does not answer the question. – Daniele Santi Feb 12 '19 at 08:47
  • 1
    @MrShunz You're right, but I arrived to this page searching for `Suppressing ssh banner from OpenSSH client` and this answer, while it doesn't fully answer OP question, it may help future users. – Pedro Lobito Feb 12 '19 at 12:01
0

Install hexedit:

apt-get update && apt-get install hexedit

Back up your sshd binary and create an editable working copy (as root):

  cp -p /usr/sbin/sshd /tmp/sshd.backup
  cp -p /tmp/sshd.backup /tmp/sshd.new

Update the binary with hexedit:

hexedit /tmp/sshd.new

Press TAB to switch from the HEX are to the ASCII area.

Use CTRL+S to bring up the search prompt and search for the text in your banner than you want to hide e.g. ‘OpenSSH_7.4’.

You should see something like:

0007DA54   61 67 65 6E  74 00 00 00  4F 70 65 6E  agent...Open
0007DA60   53 53 48 5F  37 2E 34 70  31 20 52 61  SSH_7.4p1 Ra
0007DA6C   73 70 62 69  61 6E 2D 31  30 2B 64 65  spbian-10+de
0007DA78   62 39 75 32  00 00 00 00  4F 70 65 6E  b9u2....Open

Use the arrow keys to highlight the start of the string that you want to update and type your replacement.

Be careful to stay within the bounds of the length of the original banner. You can also press TAB to switch back to the HEX area if you wanted to just null out the string setting each word to ’00’.

Your change should look something like:

0007DA54   61 67 65 6E  74 00 00 00  48 65 72 65  agent...Here
0007DA60   20 62 65 20  64 72 61 67  6F 6E 73 2E   be dragons.
0007DA6C   20 54 75 72  6E 20 42 61  63 6B 00 00   Turn Back..
0007DA78   00 00 00 00  00 00 00 00  4F 70 65 6E  ........Open

Save your changes with CTRL+x and a Y.

Check if there are any instances that we missed (we expect no output now):

strings /tmp/sshd.new | grep Rasp

Update sshd and restart the service for good measure:

rm /usr/sbin/sshd
cp -p /tmp/sshd.new /usr/sbin/sshd
systemctl restart ssh.service

Check that you can still SSH in (otherwise restore the backup or reinstall OpenSSH from your package manager!):

ssh -vv user@ip

NOTE!!

This change will only be temporary as any time you update OpenSSH, the binary will be replaced.

Community
  • 1
kokane
  • 9
  • 1
  • 4
    While it’s true that the question didn’t actually specify that they don’t have write access to `sshd`, it seems pretty likely since it _did_ specify no `sshd_config` access. They’re looking for a client-based solution. – Mike Scott Oct 07 '19 at 07:10
  • This answer made my day! – kaki gadol Aug 17 '21 at 12:20