# SSH hostname broadcast



## blah44 (Dec 26, 2013)

In the default FreeBSD installation, I see in sshd_config: 
	
	



```
banner=none
```
 but what is causing the behavior where the hostname appears before authentication when I try to log in from other hosts? I do not see anything obvious in sshd_config but I am not sure what this would be called, either.


----------



## gentoobob (Dec 29, 2013)

What hostname?  The box you are logging into or the box that your client is running on?  Also, what SSH client are you using?


----------



## blah44 (Jan 3, 2014)

The destination hostname appears in a prompt like "Password for user@remote:", which is odd because, while the host name is remote, there is no reverse DNS or anything that this could come from. It is literally what the host name is set to and nothing else.


----------



## trh411 (Jan 3, 2014)

A remote server does not need DNS in order to include its own hostname in a login prompt it sends to your SSH client when you try to connect to it.


----------



## gentoobob (Jan 3, 2014)

I don't think there is a way around that.  At least I haven't found anything.  It's not a security issue if that is what you are wondering.


----------



## junovitch@ (Jan 4, 2014)

It's PAM, not OpenSSH.  The entire DNS system isn't built for privacy so don't consider the host-name to be private.  I remember seeing this post about it and nobody seemed to care.  https://forums.freebsd.org/viewtopic.php?f=43&t=42674.


----------



## nanotek (Jan 4, 2014)

I am pretty sure my hostname isn't advertised when you SSH into my box. I can't remember what I did to achieve this though.


----------



## Kitche (Jan 5, 2014)

You have to do the following for the SSH PAM configuration:


```
auth required pam_unix.so no_warn try_first_pass authtok_prompt="Password:"
```


----------



## gentoobob (Jan 7, 2014)

@Kitche, if you are talking about the /etc/pam.d/sshd file, that did NOT work for me.


----------



## ShelLuser (Jan 7, 2014)

If you are really worried about this from a security perspective (something I wouldn't consider an issue myself, but to each his own) then my suggestion would be to get rid of the password authentication in its entirety and use key based authentication, optionally (but recommended) with password protected secret keys.

It's what I'm using for my servers and the only thing I get to see when I logon:


```
login as: peter
Authenticating with public key "backup2"
Passphrase for key "backup2":
```
And after that I'm in. No hostnames, no servernames, only common dialogs and stuff I typed myself.


----------



## nanotek (Jan 9, 2014)

gentoobob said:
			
		

> @Kitche, if you are talking about the /etc/pam.d/sshd file, that did NOT work for me.



`vi [file]/etc/gettytab[/file]` and remove the %h (hostname) variable. For example:

original:

```
default:\
        :cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\
        :if=/etc/issue:
```

modified:

```
default:\
        :cb:ce:ck:lc:fd#1000:im=\r\n\Clandestine %s\r\n\r\n:sp#1200:\
        :if=/etc/issue:
```


----------

