# Showing the REMOTE IP address on the login banner



## Allan (Mar 16, 2020)

I have a login banner that is displayed *prior* to password authentication via SSH.

This is what it currently looks like:



```
===================================================

This is a private system.


Only authorized users may access this system with their individually assigned user

accounts. Sharing of any account information with anyone is strictly prohibited and

may result in account suspension and/or termination in accordance with the

Acceptable Use Policy (AUP).


All access to this system and all traffic to and from it may be monitored and logged

by the system owner(s), operator(s), and administrator(s).

=====================================================
```

What I would like to do is add a line (the bottom is fine, but the option to put it anywhere would be great) that says something like the following:


```
Your IP address is XXX.XXX.XXX.XXX
```

I found a post about adding the IP address of the _server_ (Thread 61798), but I'm looking to display the _remote client IP address_ and that would obviously change every time a login attempt occurred.

I've investigated `gettytab` and `pam_exec,` but so far, I haven't been able to get a solution working.  *Is this possible and if so, how can I accomplish this?*


----------



## SirDice (Mar 16, 2020)

Allan said:


> *Is this possible and if so,*


I don't think that's possible. The only process that has that information is the sshd(8) daemon itself.


----------



## eternal_noob (Mar 16, 2020)

There is no advantage in showing the ip address to someone who logs in. He already knows it.
Just write someting like


> Your IP address will be recorded


----------



## ralphbsz (Mar 16, 2020)

Why? What advantage does that give? I don't see any.

What is the disadvantage? The "unknown unknowns": it might have unintended side effects. For example, if the attacker is behind a NAT, they can use the IP address that's seen by the server to figure out how NAT is configured. It also adds complexity, which makes failures more likely.

My other nasty question is this: Why are you showing that legalistic looking banner? I think in most places, unauthorized access to a computer is already illegal. Casual (authorized) users don't need to be told that, and real hackers already know that. Is there a legal advantage to displaying such a banner?


----------



## Allan (Mar 17, 2020)

ralphbsz said:


> Why? What advantage does that give? I don't see any.



Well then...since _you_ don't see a benefit, then let me just withdraw my question.  I can appreciate curiosity as to why someone would want to do something a certain way, but knee-jerk reactionary divisiveness?  Whatever.



ralphbsz said:


> What is the disadvantage? The "unknown unknowns":



So, we don't know what we don't know.  Got it.  Any more profound and insightful tips you care to share?



ralphbsz said:


> For example, if the attacker is behind a NAT, they can use the IP address that's seen by the server to figure out how NAT is configured.



Why would I care what an attacker can ascertain about his network?  If the attacker is going after my server he already knows my IP.  If I show him his, what exactly is he going to deduce from that?  Apparently, this attacker is too incompetent to point his browser to https://ipchicken.com/

Oh....wait... you mean _internally._  Let's forget for a second you weren't clear and you meant the attacker was behind _my _NAT. What makes you think this attacker is so incompetent to not know how to use `ifconfig` and `traceroute`? I'm genuinely curious...have you actually met any hackers?



ralphbsz said:


> It also adds complexity, which makes failures more likely.



Ahh yes.... complexity = failure argument.  You're IP address is such-and-such.  You're right.  I should drop this.  I do have some Y2K preparations I've been putting off due to their complexity.



ralphbsz said:


> My other nasty question is this: Why are you showing that legalistic looking banner?



You are right...*very nasty.*

I mean this in the kindest, and in the most professional demeanor possible:  It's none of your dam business.   FreeBSD gives me the option to put this information on a login screen and for whatever reason I could possibly have, I am opting to use it.  I want to know if what I'd like to do is possible and came looking for an answer - not your _opinion_ on what I'm doing. I'm fairly confident I don't have any signed contract for your busuiness practice consultation services, but I've been known to make mistakes. Perhaps you'd like to forward a copy of the executed agreement to refresh my memory?

*But what really, really pisses me off about your reply* is that I recently participated in a Reddit post about why FreeBSD is better than Linux and my answer was "the community".  It's the professionalism, the kindness, the helpfullness and most of all the spirit in which people want to help each other that makes FreeBSD much better than Linux.     *So, I give you my most heartfelt thanks because in less than 48 hours you proved me a liar and left me with egg on my face.  Congratulations.  Your method of promotion of the FreeBSD brand speaks volumes.*


----------



## T-Daemon (Mar 17, 2020)

I stumbled about this article "Display IP address in banner text" in a web search. It's explaining how to display local IP addresses on a Linux system in the ssh's banner text with the help of an shell script. You could write a similar shell script. I was thinking using the logging function of sshd(8) (SyslogFacility and LogLevel keyword-arguments) to extract the remote clients IP address and update the banner text.

I can't help with the script (lack of shell scripting knowledge), but you could use the shell scripts from the link as a draft to adapt it to your needs. Notice the _example_ link in the article, pointing to "Show IP address of VM as console pre-login message"


----------

