How to Disable SSH Server Banner Display Using Client-Side Configuration


2 views

Many system administrators want to maintain server-side banner messages (like legal notices in /etc/issue.net or custom MOTD files) while having control over when these banners display to specific clients. The standard SSH client doesn't provide a direct option to suppress server banners.

Common workarounds like PrintMotd no in sshd_config completely disable banners server-wide. Other approaches modify .bashrc or /etc/profile, but these affect all login methods, not just SSH.

While there's no native PrintBanner option, we can achieve similar functionality through these methods:


# Method 1: Using SSH protocol negotiation
ssh -o "LogLevel=ERROR" user@hostname

# Method 2: Forcing non-interactive mode
ssh -T user@hostname

# Method 3: Custom wrapper script
#!/bin/bash
if [[ "$1" == "--no-banner" ]]; then
    ssh -T "${@:2}" | grep -v "Welcome\|Authorized\|Last login"
else
    ssh "$@"
fi

For more granular control, modify your sshd_config:


Match Host *.example.com
    Banner /etc/ssh/banner_prod

Match Host *.dev.example.com
    Banner /etc/ssh/banner_dev

Match User auditor
    Banner none

Create a custom PAM module or modify existing banner scripts to check for client-specific environment variables:


# In /etc/ssh/sshrc
if [ -z "$SUPPRESS_BANNER" ]; then
    cat /etc/ssh/banner
fi

# Client connection with:
ssh -o "SendEnv=SUPPRESS_BANNER" user@host

Remember that completely suppressing banners might violate security policies requiring legal notices. Always consult your compliance team before implementing these changes in production environments.

When connecting to SSH servers, you'll typically encounter two types of messages:

  • MOTD (Message of the Day): Usually stored in /etc/motd
  • SSH Banner: Configured via the Banner directive in sshd_config

While there's no direct PrintBanner option, these methods achieve similar results:

# Option 1: Suppress all login messages
ssh -T user@hostname

# Option 2: Combine with other useful flags
ssh -q -o LogLevel=ERROR -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@hostname

To maintain your server's banner configuration while suppressing client-side display:

# Keep this in your sshd_config
Banner /path/to/your/banner.txt

For scripting scenarios where you need conditional banner display:

#!/bin/bash

SUPPRESS_BANNER=true

if [ "$SUPPRESS_BANNER" = true ]; then
    ssh -T user@hostname "your_command"
else
    ssh user@hostname
fi

Add these settings to ~/.ssh/config for persistent configuration:

Host specific-server
    HostName server.example.com
    User username
    LogLevel QUIET
    RequestTTY no