# How to run program before ssh login in FreeBSD



## hessamini (Feb 17, 2015)

Hi. I have written a program in FreeBSD text mode and want to ssh users without logging in FreeBSD before (login as: )see this program.
Do I need to change the configuration of SSH?
Do I need to change the my program codes?


----------



## storvi_net (Feb 17, 2015)

Sorry, I did not understand, what you want to achieve...


----------



## wblock@ (Feb 17, 2015)

Like a login prompt?  Otherwise, it will need future prediction technology that has not been developed yet.


----------



## hessamini (Feb 18, 2015)

I have a simple program and I want show this when I run putty in Windows. By default when run putty we must do login to ssh but I want before login, show my program.


----------



## hessamini (Feb 18, 2015)

Hello

Sorry about my English.
I work on FreeBSD shell and also I made a program by C++.
I want run my program before the authorization process (login to FreeBSD) and also the user login by SSH client.
Is it possible on FreeBSD or SSH Server ?

I really appreciate any help you can provide.
Hesam.


----------



## ondra_knezour (Feb 18, 2015)

You may experiment with the Banner setting of the OpenSSH, however quick googling shows that the Putty will display own login as: prompt before displaying banner from the server. If you would like to add some interactivity, you would need some wrapper, for example set the inetd daemon to listen on port 22, call your program which will setup ssh connection, do what you want and handle it over to the sshd daemon. Too complicated and possibly insecure from my point of view.


----------



## _martin (Feb 19, 2015)

From security reasons it does not make much sense to execute anything on server before actual login. You can display a plain text message using Banner keyword.

As you didn't specify what you want to achieve it's hard to say. I'd lean towards custom PAM module.


----------



## storvi_net (Feb 19, 2015)

If you just got users with ssh-keys, you could also write a wrapper for the "command=.."-Directive, which is bound to a specific key. The wrapper must execute your program and hand over to the shell.

Regards
Markus


----------



## _martin (Feb 19, 2015)

storvi_net said:


> If you just got users with ssh-keys, you could also write a wrapper for the "command=.."-Directive, which is bound to a specific key.


But that is executed after successful login (and key has to be there). My guess is he wants something to be executed before each login prompt.


----------



## hessamini (Feb 24, 2015)

yYes iI wants something to be executed before each login prompt. tThank you.
I think I have no choice but edit OpenSSH project or make a daemon for listen on port 22 and my daemon run my program and after exit of program show login prompt.
wWhat is your idea?


----------



## gkontos (Feb 24, 2015)

hessamini said:


> yes i wants something to be executed before each login prompt. thank you.



If I may ask what does your program actually executes? You realize that this could also become a nice candidate for a DOS.  



hessamini said:


> I think I have no choice but edit OpenSSH project or make a daemon for listen on port 22 and my daemon run my program and after exit of program show login prompt.
> what is your idea?



If your program listens on any port below 1024 then it will have to be executed with root privileges. Also, only one daemon can bind to a specific port. Therefore, if your program listens on port 22 openssh will need to listen to a different port.


----------



## hessamini (Feb 24, 2015)

I think before login in SSH freebsdFreeBSD can not showTTY , this issue make a problem for how to show my program on SSH terminal without TTY.
I have a question : Can iI show my program on SSH terminal without TTY.?
pPerhaps you think my try for make this program Ffails to be., but this problem is solved by PFsense.
But I do not know how.
I decide for install the pfsense and check source code ., because iI heard this project run before login to SSH.
I really appreciate any help you can provide.


----------



## gkontos (Feb 24, 2015)

If you tell us what your program does, then someone might be able to point you in the right direction.


----------



## storvi_net (Feb 24, 2015)

hessamini: WHAT does your program do? 

We are asking for several posts what you want to achieve. The answer is not "I want to run a program before a login". With this kind of information we can not help you.

If you want to google around, you can use a combination of AuthorizedKeyCommand and a PAM-Module which fire up a script / wrapper of your program.

But again: If you tell us the things we need to know you probably will get a better solution...

Regards
Markus


----------



## hessamini (Feb 25, 2015)

Sorry about my English.
From 4 year ago my company work on a Firewall on FreeBSD. For customize the firewall we have a program on Windows. The Windows program can connect to firewall on FreeBSD with SSH for send and receive information. My company decide to make a program on FreeBSD Text Mode. In Text Mode we can make a program with use  Turbo Vision. The Turbo Vision can help me for make a user friendly program on Text Mode. This Text Mode program must can work same as the Windows program and do customize Firewall on FreeBSD. This Text Mode program must run before login to SSH on terminals.

For example: 
My FreeBSD IP is 192.168.1.5 and firewall is working on this.
I must customize the firewall on FreeBSD.
I can customize the firewall on FreeBSD with Windows application, but we want do this with FreeBSD Application. When I run PuTTY on Windows for connect to 192.168.1.5, first view is *Login as:*, but I want my program to be run instead it.


----------



## getopt (Feb 25, 2015)

hessamini said:


> This Text Mode program must run before login to SSH on terminals.


You still do not explain the reason why this should take place before a login. And I doubt that there is any good reason for wanting this.
Good practice is to login with Ssh and then manipulating a firewall's configuration because you have to authenticate first before altering anything.
If you have designed a concept without authentication for altering a security relevant part of a host, it is crapware. Do you agree?


----------



## hessamini (Feb 25, 2015)

There is nothing to hide. I have been asked to run the program before authentication. This is company policy. The program can also be run after authentication. This is necessary only for the convenience of users. Similar programs usually do this, such as *PFsense*.


----------



## gkontos (Feb 25, 2015)

Obviously, when you use the Windows GUI you are authenticated BEFORE you can make any changes to the firewall. Therefore, the same approach should be taken here too.

What you probably want to do is to change the "look and feel" of the authentication. You can't do that unless you either modify the code of openssh or use an API. I am not aware of any API's but libssh might be a good starting point.


----------



## storvi_net (Feb 25, 2015)

Do you probably just want to show some kind of Banner? Then you could adjust adjust the banner (before login) or motd (after login).

Example: http://www.shellhacks.com/en/HowTo-Set-a-Warning-Message-Banner-in-SSH

Can you explain step-by-step what you want to see in this way:
1. User uses Putty / SSH to login into Firewall
2. Program is executed and does the following
3. User sees a welcome-Screen with the following information...
4. User has to authenticate himeself
5. User is logged in and has a shell

Especially Step 2 and 3 are relevant for us to help you.


----------



## gkontos (Feb 25, 2015)

If I understood correctly, they currently have a Windows client program, for managing the firewall, which authenticates the user to the firewall using sshd. Now, they also want to add a host based utility with the similar functionality. However, someone told him that the ssh authentication should occur within this host based utility (probably a requirement).
While this is doable, it is more complex and difficult to support/maintain. The simplest method IMHO would be to write a custom limited shell that integrates with the new program.


----------

