diff --git a/ssh/server.c b/ssh/server.c
index 4e315874..d3a129fa 100644
--- a/ssh/server.c
+++ b/ssh/server.c
@@ -502,6 +502,7 @@ void ssh_sw_abort(Ssh *ssh, const char *fmt, ...)
 void ssh_user_close(Ssh *ssh, const char *fmt, ...)
 {
     server *srv = container_of(ssh, server, ssh);
+    ssh_bpp_handle_output(srv->bpp);
     LOG_FORMATTED_MSG(srv->logctx, fmt);
     queue_toplevel_callback(ssh_server_free_callback, srv);
 }
diff --git a/ssh/server.h b/ssh/server.h
index c2b3647b..dc73747c 100644
--- a/ssh/server.h
+++ b/ssh/server.h
@@ -23,6 +23,7 @@ struct SshServerConfig {
     bool stunt_open_unconditional_agent_socket;
     bool stunt_allow_trivial_ki_auth;
     bool stunt_return_success_to_pubkey_offer;
+    bool stunt_close_after_banner;
 };
 
 Plug *ssh_server_plug(
diff --git a/ssh/userauth2-server.c b/ssh/userauth2-server.c
index bfe258ce..a7e8929c 100644
--- a/ssh/userauth2-server.c
+++ b/ssh/userauth2-server.c
@@ -113,6 +113,21 @@ static void ssh2_userauth_server_add_session_id(
     }
 }
 
+static void ssh2_userauth_server_close_after_banner(void *vctx)
+{
+    struct ssh2_userauth_server_state *s =
+        (struct ssh2_userauth_server_state *)vctx;
+
+    if (pq_peek(s->ppl.out_pq)) {
+        /* Don't close the connection until we've passed on our final banner
+         * packet to the lower layer */
+        queue_toplevel_callback(ssh2_userauth_server_close_after_banner, s);
+    } else {
+        ssh_user_close(s->ppl.ssh, "Closing connection on request due to "
+                       "--close-after-banner");
+    }
+}
+
 static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
 {
     struct ssh2_userauth_server_state *s =
@@ -131,6 +146,11 @@ static void ssh2_userauth_server_process_queue(PacketProtocolLayer *ppl)
         pq_push(s->ppl.out_pq, pktout);
     }
 
+    if (s->ssc->stunt_close_after_banner) {
+        queue_toplevel_callback(ssh2_userauth_server_close_after_banner, s);
+        crReturnV;
+    }
+
     while (1) {
         crMaybeWaitUntilV((pktin = ssh2_userauth_server_pop(s)) != NULL);
         if (pktin->type != SSH2_MSG_USERAUTH_REQUEST) {
diff --git a/unix/uppity.c b/unix/uppity.c
index 36f2c99d..711c2952 100644
--- a/unix/uppity.c
+++ b/unix/uppity.c
@@ -924,6 +924,8 @@ int main(int argc, char **argv)
             ci->ssc.stunt_allow_trivial_ki_auth = true;
         } else if (!strcmp(arg, "--return-success-to-pubkey-offer")) {
             ci->ssc.stunt_return_success_to_pubkey_offer = true;
+        } else if (!strcmp(arg, "--close-after-banner")) {
+            ci->ssc.stunt_close_after_banner = true;
         } else {
             fprintf(stderr, "%s: unrecognised option '%s'\n", appname, arg);
             exit(1);