SSH troubles resolved


When I was installing a new server I thought that it would be nice to have the server display a nice banner when I contact it. With OpenSSH this is rather easy to achieve. Just setting the Banner option in /etc/ssh/sshd_config should do the trick. I also thought it would be nice to have the servername displayed, created with Figlet. So when I login the screen should look something like this:

 _ __ ___  _   _ ___  ___ _ ____   _____ _ __
| '_ ` _ \| | | / __|/ _ \ '__\ \ / / _ \ '__|
| | | | | | |_| \__ \  __/ |   \ V /  __/ |
|_| |_| |_|\__, |___/\___|_|    \_/ \___|_|
           |___/

I set this all up and when I logged in the screen looked like:

 _ __ ___  _   _ ___  ___ _ ____   _____ _ __
| '_ ` _ \\| | | / __|/ _ \\ '__\\ \\ / / _ \\ '__|
| | | | | | |_| \\__ \\  __/ |   \\ V /  __/ |
|_| |_| |_|\\__, |___/\\___|_|    \\_/ \\___|_|
           |___/

I guess you can understand it’s not what I wanted. All backslashes are doubled, hmmm weird.

Poking around in the system (CentOS 5.4) seemed to lead me to the mingetty command, because that’s what’s used to login.

In the source code of mingetty I found:

if ((fd = fopen (ISSUE, "r"))) {
    while ((c = getc (fd)) != EOF) {
        if (c == '\\')
            output_special_char (getc(fd));
        else
            putchar (c);
    }
    fflush (stdout);
    fclose (fd);
}

so that could be it.

As a test I put a mingetty escape sequence in the /etc/issue file, but that showed up completely the same, no mingetty translation. So that’s not it. Not that many options left. Maybe the OpenSSH server displaying the backslashes the wrong way.

Tracing the OpenSSH server source code showed that it couldn’t be that one, because the Banner file is just sent by an atomic write.

But, if it’s not the server, maybe it’s the client. Another source code scan of the OpenSSH stuff revealed the culprit. In the file sshconnect2.c the function input_userauth_banner displays the banner, sent from the server. On line 417 (in my source tree, OpenSSH version 5.3p1) it says

strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);

So unsafe characters and octal characters are encoded. The man page of strnvis states:

There is one additional flag, VIS_NOSLASH, which inhibits
the doubling of backslashes and the backslash before the
default format

So I changed the line to

strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);

recompiled SSH and reconnected to my new, shiny server.

Hurray, problem solved.

Checking the Internet I found out that someone already found this bug and checked it in with the OpenSSH developers (about an hour before I tried to check it in). It will be resolved in version 5.4, but it can still take some time to find it’s way into all distributions.

Old 

See also