[Info-vax] unwanted SSH banner

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Feb 23 11:46:15 EST 2016 

On 2016-02-23 15:07:09 +0000, lists at openmailbox.org said:

> On Tue, 23 Feb 2016 09:40:04 -0500
> Stephen Hoffman via Info-vax <info-vax at rbnsn.com> wrote:
> 
>> On 2016-02-23 12:50:13 +0000, lists at openmailbox.org said:
>> 
>>> Two things to check in the global sshd_config are
>> 
>> Those knobs aren't as effective as would be a daemon that looked at 
>> whether the incoming request was a login or a one-shot, and chose  
>> whether to display the output or not.
>> Not that the ssh daemo even particularly effectively process the @ notation.
> 
> There is an explanation in the man page (don't know if OpenSSH comes 
> with VMS HELP) that explains whether messages are issued for 
> interactive logons, etc. I think the info is available and the controls 
> are probably granular enough. The OpenBSD and SSH man pages are usually 
> pretty complete.

Might want to see if it's OpenSSH, first.   AFAIK, it isn't.   It was 
(may still be) the SSH2 package from SSH Communication Security, and 
apparently based on version 3.2.0 of that package.

For comparison purposes and assuming it's the Tectia package, that's 
now at version 6.4.

Based on comparing the switches, the OpenBSD man pages are not going to 
help very much.

Whether or not there are switches or knobs, AFAICT, the default 
configuration does not correctly process @ notation.   For a custom 
port.  Of a custom product.   (I haven't looked to see if my other 
"favorite" here around processing the password change — has become the 
default in new installs.  That used to be disabled.

Then there's "fun" like the TCPIP$SSH_FILECOPY_DISALLOWED identifier 
for controlling sftp access.   That's not in the main docs.  Only in 
the config file comments and the release notes.  Gotta love the OpenVMS 
docs.  Sometimes wonderful, but increasingly scattershot and stale, at 
best.   Lots of "fun" stuff is only in the configuration file comments 
— those configuration files are another issue — and many of the code 
comments clearly don't get edited for contents or clarity or 
consistency.   Whether or not the default should allow access is 
another discussion — no good answer to that, even though typical 
security practice would prefer you to block by default.   But I digress.

I can't tell if the defaults for the expired password support have 
flipped, either — the classic defaults were because clients didn't 
support the password change sequence.   That's changed, of course, but 
I can't tell from the docs what the default is.   Related:  
http://labs.hoffmanlabs.com/node/510

> If anybody needs a man page and can't find one online I can find a 
> pointer to one.

Yeah, there are a few folks around here that are seemingly operating at 
locations without access to web search engines and docs, surprisingly.  
 But then finding the OpenSSH docs might not help, here.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list