Home / server / Questions / 166530
Accepted
rwired
Asked: 2010-08-03 21:11:49 +0800 CST

How to change OpenSSH banner text when testing the port via telnet

  • 772

I'm deploying a script that runs on various clients behind firewalls that I don't control. The script attempts an SSH client login to a remote server that I do control (the script comes pre-loaded with a private key for authentication). Some of the firewalls at some datacenters redirect ALL OUTBOUND port 22 requests to a different server (sysadmins at the various facilities seem to have done this for their own purposes).

In these cases the script fails (because the ssh client login fails). The script has a diagnostic facility which tests user's connections. In order to be able to determine if my remote server is reachable from their workstation on port 22, I want to run the command 

telnet my-remote-host 22

From my script, and test the response. My target server responds:

SSH-2.0-OpenSSH_4.3

My local development server responds:

SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4

NOTE: These are the telnet responses on port 22, not the OpenSSH banner text for my server (which would be unreachable in such situations)

How do I control this text? -- So I can insert a token that would identify my own server as the one being pinged in this situation. The datacenter servers accepting the port 22 requests may possibly have the exact same version of OpenSSH running on them as my own remote server.

(Currently my diagnostics is just reporting failed login, but there are other reasons this can happen - I'm looking for a more fine-grained diagnostic that can test to see if my server is really reachable on port 22 before I attempt a real login)

ssh telnet banner

3 Answers

  1. You could/should use ssh-keyscan to gather and compare the public key of your host. I'd imagine it's more difficult to fake than changing the banner (which as you can see from other responses tends to get people all hot under the collar!). If you get the key and it matches what you know the key should be then the host is up and listening on port 22 without you having to log in. It saves you having to recompile your ssh packages every time a new release is out.

        $ ssh-keyscan localhost
# localhost SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5qXqsZ4S/e4ANfQraXbJx9muKgdrPWrwI/SrIbnZLso9Poszmt3+NrBbTYkuZR92a6BL2gDXCdG0ugsY01u6xItKnnB0XZLYkSqqqwoGubqWbGfC5Zxsosne9cCevVNl3aomSNf8ctw+rEdBfrWjom6wu0CTy1umbDkT186l9LDoefzeOqSpPyIQBHZcDPeeY0B8vPyTCsC5ly/hwoQb/3nT5QMRaawlHNKJMgDE3avTUsPdtVjG2V55rpJpIDeBid7icMwxbGqTAS9T3hW111BdGGjaXspk1t23FnZOUQTzfI4kXj3SxUjSHIx6czX9SZ9NMa/7VewtJPVxRuPLGw==

    The key will be different for each host.

    So something like this will get the ball rolling.

    key=$(ssh-keyscan localhost)

known_key="localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5qXqsZ4S/e4ANfQraXbJx9muKgdrPWrwI/SrIbnZLso9Poszmt3+NrBbTYkuZR92a6BL2gDXCdG0ugsY01u6xItKnnB0XZLYkSqqqwoGubqWbGfC5Zxsosne9cCevVNl3aomSNf8ctw+rEdBfrWjom6wu0CTy1umbDkT186l9LDoegzeOqSpPyIQBHZcDPeeY0B8vPyTCsC5ly/hwoQb/3nT5QMRaawlHNKJMgDE3avTUsPdtVjG2V55rpJpIDeBid7icMwxbGqTAS9T3hW111BdGGjaXspk1t23FnZOUQTzfI4kXj3SxUjSHIx6czX9SZ9NMa/7VewtJPVxRuPLGw=="

echo "($key)"
echo "-------"
echo "($known_key)"

if [[ "$key" = $known_key ]]; then
   echo "GOOD host key matches known key"
else
   echo "ERROR host key does not match known key"
fi
    • 2

  2. You are do it wrong! The only way to determine if you are reaching the 'good' server is by checking its key's fingerprint. Have a look at the ssh_config (5) manual page. The parameter you are looking for should be 'StrictHostKeyChecking'

    And by the way, don't do stupid things with this banner. It's content is defined in the protocol specification and changing it could prevent your clients to connect.

    • 2
  3. Best Answer

    Sorry, I'm afraid that only way to change that text is to modify the source code and compile ssh by hand.

    • 1