Describe the feature request

A mode of the SSH check that would only check for a valid SSH connection banner. It's an upgrade from a plain TCP check but lighter weight than a full SSH check as done today.

An example of a borked OpenSSH server that passes a TCP check:

❯ nc borked.example.com 22
EHLO

... After which the connection terminates.

An example of a functioning OpenSSH server:

❯ nc fine.example.com 22
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
EHLO
Invalid SSH identification string.

... After which the connection terminates.

Why do you personally want this feature to be implemented?

While the current SSH check does allow checking an SSH endpoint it has limitations that I'd love to overcome:

• It can only validate with authentication -> Requires exposing credentials to monitoring, even if it can be done via env variables.
• It requires password auth -> No support for pubkey auth, requires keeping password auth enabled in sshd which is against security best practices.

How long have you been using this project?

1y

Additional information

The banner check is just the first idea I was able to confirm in a real scenario. If someone knows a bit more of the protocol then perhaps there's more quick wins a bit deeper. But, then again a quick "does the server send any banner after TCP open would already be a big improvement.