Cisco banners with SSH
When configuring a Cisco device I always configure some kind of banner, which is displayed when logging in. This banner contains some information, like security warnings and general information. There are different kind of banners.
- exec: display a banner before displaying the enable prompt;
- login: display a banner before the password login prompt when accessing the security appliance using Telnet;
- motd: display a message-of-the-day banner when you first connect;
I was used to configuring a banner login with different variables, like shown below:
banner login ^
You have entered device $(hostname).$(domain) at line $(line) $(line-desc)
^C
This works fine when connecting with Telnet to the device, but this doesn’t work when using SSH. For security reason, I always use SSH to connect to devices, but I didn’t notice the “corrupt” banner since recently.
Banner login doesn’t support SSH:
“When accessing the security appliance through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages or if a TCP write error occurs. Only the exec and motd banners support access to the security appliance through SSH. The login banner does not support SSH.”
The example below shows the output from a banner motd and a banner login when connecting via SSH.
ssh -l admin 10.10.66.12
You have entered device $(hostname).$(domain) at line $(line) $(line-desc)
Password:
You have entered device C877.booches.nl at line 1
C877#
The first banner is de banner login and the second is the banner motd. So when using SSH to connect to a device, it is better to use a banner motd or a banner exec.
