ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard

Published 20 hours ago verified publisher icon arthepsy

`[exception] did not receive banner.` exception

Open jpluimers opened this issue 8 years ago • 8 comments

For an sshd configuration, it is valid to have the Banner option in /etc/ssh/sshd_config set to none.

However, ssh-audit then always throws a [exception] did not receive banner..

It would be nice if ssh-audit could optionally skip checking for a banner.

jpluimers avatar Jul 28 '17 10:07 jpluimers

Banner in sshd_config is something different than exception regarding "banner". Even by default it is none. Exception is regarding identification string, e.g., SSH-2.0-OpenSSH_7.5.... I can agree that wording could be better.

@jpluimers, do You really get that exception? I would like to debug that case, because only way I can achieve it, is by faking sshd server and not sending identification string.

arthepsy avatar Sep 26 '17 14:09 arthepsy

I should have put the ssh-audit version and server target in the issue. Need to find out which machine this was meant for as I forgot. Might take a while, so please keep this open for now.

jpluimers avatar Sep 27 '17 15:09 jpluimers

OK, and also, please, let me know if You give up, so this issue shouldn't stay open forever.

arthepsy avatar Sep 28 '17 07:09 arthepsy

I got it one more time at a RaspberryPi connected via LAN from a MacBook connected via WiFi at my brothers place when he was using his microwave.

Plain ssh works fine, but ssh-audit fails every now and then. I think ssh is more resilient to a non-stable network than ssh-audit.

jpluimers avatar Sep 29 '17 08:09 jpluimers

That could be the case, as I have set-up very small timeout limits (3 seconds for connection, 5 seconds for reading data) to use it for bulk scans and receive answer fast when ssh server doesn't respond. This could be made configurable, but that would add new option, which should be remembered and used.

Does that sound something useful for You?

arthepsy avatar Sep 29 '17 11:09 arthepsy

It does. Though I understand your hesitation to add yet another set of options.

jpluimers avatar Sep 29 '17 17:09 jpluimers

Option could be added, just have to think about the naming and design, e.g., will that include two options (connection and read timeout) or a single one; how to specify them intuitively, etc. I was thinking something along the lines of -t 3:5. What do You think?

arthepsy avatar Oct 01 '17 22:10 arthepsy

Good idea.

Note that having one option with a list of parameters can be hard parsing and harder to remember the order of the parameters, so it might be easier to support this:

[--connection-timeout|-ct] <integer> [--read-timeout|-rt] <integer>

jpluimers avatar Oct 05 '17 08:10 jpluimers