Introduction

In secure file transfer environments, especially where compliance and user accountability are critical, even small configuration features can significantly enhance security and usability. One such often-overlooked feature is the SSH banner.

An SSH banner is a text message displayed to users when they initiate an authentication to an SSH/SFTP.

Image with SSH banner

Configure an SSH Banner

An SSH banner is a predefined message presented to users when they connect to an SSH service (including SFTP). It is configured on the SFTPPlus SFTP server and appears before the user is prompted for login credentials.

This banner can contain: - Legal notices - Security warnings - Terms of use - System-specific instructions - Migration information - Server decommissioning notice - Contact or support information

The before_login_message configuration option is used to configure the SSH banner. It can be a multi-line value.

Best practices for SSH Banners in SFTPPlus MFT:

  • Keep banners concise but informative.
  • Avoid including sensitive information (e.g. system details or IPs).
  • Review messages regularly to ensure relevance and accuracy.
  • Ensure consistency across environments to avoid user confusion.
  • Combine banners with auditing and access control policies for maximum effect.

This functionality is available in SFTPPlus version 5.11.0 or newer.

Similar functionalities are available for the FTP/FTPS and HTTP/HTTPS protocols.

Why SSH Banners Matter in MFT Configurations

Legal Compliance and User Accountability

In regulated environments (such as finance, healthcare, or government sectors), it's important to ensure users are aware of the legal implications of accessing a system.

SSH banners can:

  • Display terms of authorized use
  • Serve as a legal deterrent to unauthorized users
  • Support compliance with standards such as NIST, ISO 27001, or GDPR

User Guidance and Operational Clarity

In complex MFT environments, users might be uploading or downloading files across multiple systems, environments, or directories. SSH banners can help orient them by providing:

  • Instructions on upload directories or naming conventions
  • Reminders about scheduled maintenance windows
  • Information about contact points for support
  • Can support prosecution in the case of a breach by demonstrating informed trespass

Example Use Cases

  • Migration to a new system: When the current SFTP server is planed to be decommissioned or migrated, a login message can inform users of the details of the new SFTP connection.
  • Enterprise File Gateway: An organization integrates SFTP uploads for business partners. Each partner receives a specific SSH banner reminding them of file size limits, naming standards, and contact emails.
  • Internal Data Lake Ingestion: SSH banners inform internal users of approved upload formats and mention that all activity is logged and audited under internal compliance policies.
  • Third-Party Vendor Access: Vendors using MFT for invoice uploads see a banner with terms of use and instructions for uploading monthly reports, reducing the burden on support teams.

Conclusion

While simple, the SSH banner is a powerful tool in the MFT security toolbox. It provides legal coverage, improves user experience, and strengthens overall access control policies. For organizations that rely on secure file transfers, enabling and customizing SSH banners is a low-effort, high-value enhancement to any SFTP server configuration.

The SFTPPlus MFT support team can assist your organization in implementing SSH banners by providing tailored guidance, configuration support, and best practices to meet specific security and compliance requirements.

For assistance, please contact the SFTPPlus MFT support team to discuss your specific implementation needs.