Not possible to access banner content

XMLWordPrintable

      We need to present the banner used in SSH since it can show legal information and or

      password is about to expire.

      This is an example using OpenSSH 9.8

      2024-10-24 09:49:35,080 (Logger.java:46) TRACE : Received SSH_MSG_KEXDH_REPLY/SSH_MSG_KEX_DH_GEX_GROUP 212 bytes payload
2024-10-24 09:49:35,104 (Logger.java:46) TRACE : Client: 'SSH-2.0-TrileadSSH2Java_213'
2024-10-24 09:49:35,105 (Logger.java:46) TRACE : Server: 'SSH-2.0-OpenSSH_9.8'
2024-10-24 09:49:35,109 (Logger.java:46) TRACE : Sent SSH_MSG_NEWKEYS 1 bytes payload
2024-10-24 09:49:35,114 (Logger.java:46) TRACE : Received SSH_MSG_NEWKEYS 1 bytes payload
2024-10-24 09:49:35,115 (ImplSsh.java:571) DEBUG : Done creating a ssh connection: 214.21.133.206:830_ID6240977
2024-10-24 09:49:35,117 (Logger.java:46) TRACE : Sent SSH_MSG_SERVICE_REQUEST 17 bytes payload
2024-10-24 09:49:35,117 (Logger.java:46) TRACE : Sent SSH_MSG_USERAUTH_REQUEST 37 bytes payload
2024-10-24 09:49:35,162 (Logger.java:46) TRACE : Received SSH_MSG_SERVICE_ACCEPT 17 bytes payload
2024-10-24 09:49:35,209 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_BANNER 1031 bytes payload
2024-10-24 09:49:35,210 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_FAILURE 45 bytes payload
2024-10-24 09:49:35,212 (ImplSsh.java:462) DEBUG : Available authentication methods: [publickey, password, keyboard-interactive]
2024-10-24 09:49:35,212 (ImplSsh.java:464) DEBUG : Ignoring authentication methods: [publickey, password, gssapi-with-mic]
2024-10-24 09:49:35,212 (ImplSsh.java:474) DEBUG : Trying to authenticate with method: keyboard-interactive
2024-10-24 09:49:35,213 (Logger.java:46) TRACE : Sent SSH_MSG_USERAUTH_REQUEST 61 bytes payload
2024-10-24 09:49:35,220 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_INFO_REQUEST 32 bytes payload
2024-10-24 09:49:35,223 (Logger.java:46) TRACE : Sent SSH_MSG_USERAUTH_INFO_RESPONSE 16 bytes payload
2024-10-24 09:49:35,441 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_INFO_REQUEST 17 bytes payload
2024-10-24 09:49:35,442 (Logger.java:46) TRACE : Sent SSH_MSG_USERAUTH_INFO_RESPONSE 5 bytes payload
2024-10-24 09:49:35,448 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_BANNER 41 bytes payload
2024-10-24 09:49:35,493 (Logger.java:46) TRACE : Received SSH_MSG_USERAUTH_SUCCESS 1 bytes payload
2024-10-24 09:49:35,494 (ImplSsh.java:488) DEBUG : keyboard-interactive authentication successful? true
2024-10-24 09:49:35,494 (ImplSsh.java:500) DEBUG : Authentication Complete: 214.21.133.206:830_ID6240977
Value of the banner: Password will expire in 75 days

      Here we can see two  banner messages;

      1. Legal information
      2. Password is about to expire.

      Current implementation:

      https://github.com/jenkinsci/trilead-ssh2/blob/main/src/com/trilead/ssh2/auth/AuthenticationManager.java#L102-L107

      Banner data is stored in
      https://github.com/mpet/trilead-ssh2/blob/master/src/com/trilead/ssh2/packets/PacketUserauthBanner.java and

      AuthenticationManager holds a String for the message but it is internal to the class.

      Suggestion is to add a public method, List<String> getBanners() , in Connection.

      If no banner exist or banner has not been sent then we should return an empty list.

      According to SSH https://www.ietf.org/rfc/rfc4252.txt 

      5.4.  Banner Message

   In some jurisdictions, sending a warning message before
   authentication may be relevant for getting legal protection.  Many
   UNIX machines, for example, normally display text from /etc/issue,
   use TCP wrappers, or similar software to display a banner before
   issuing a login prompt.

   The SSH server may send an SSH_MSG_USERAUTH_BANNER message at any
   time after this authentication protocol starts and before
   authentication is successful.  This message contains text to be
   displayed to the client user before authentication is attempted.  The
   format is as follows:

      byte      SSH_MSG_USERAUTH_BANNER
      string    message in ISO-10646 UTF-8 encoding [RFC3629]
      string    language tag [RFC3066]

   By default, the client SHOULD display the 'message' on the screen.
   However, since the 'message' is likely to be sent for every login
   attempt, and since some client software will need to open a separate
   window for this warning, the client software may allow the user to
   explicitly disable the display of banners from the server.  The
   'message' may consist of multiple lines, with line breaks indicated
   by CRLF pairs.





Ylonen & Lonvick            Standards Track                     [Page 7]

RFC 4252              SSH Authentication Protocol           January 2006


   If the 'message' string is displayed, control character filtering,
   discussed in [SSH-ARCH], SHOULD be used to avoid attacks by sending
   terminal control characters.

       
      it seems to be no restriction on number of SSH_MSG_USERAUTH_BANNER  messages and this is confirmed by OpenSSH impl.

      Will add a PR for this.

      //mikael

            Assignee:
            Ivan Fernandez Calvo
            Reporter:
            eraonel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: