How to display SSH banner at login, but only for password authentication

ssh linux pam sles banner

I have a warning message that is displayed to a user after they enter their username to log in to our Linux servers. I only want to display this message for password authentications, and not when keys are used. It should only show to a user who is logging into a host, and not when they are sshing from one host to another (our hosts all have keys set up so we can ssh from one to another without entering passwords).

Currently, I have a line for Banner in the /etc/ssh/sshd_config file which points to a text file containing the warning message. Banner doesn't appear to have any further config options, so I'm wondering if there is a way to do this with pam or some other mechanism? Thanks.


Yes, you can use the pam_echo plugin:

auth required pam_unix.so
auth optional pam_echo.so file=/etc/ssh/password_banner.txt

This should produce the pam_echo output after password login.

See http://www.linux-pam.org/Linux-PAM-html/sag-pam_echo.html for docs.

Edit: You'll also need to make sure you have UsePAM yes in your sshd_config. Replaced password with auth.

Related

Escape a ! in the password parameter of wget
Why does ifconfig reset the default gateway route?
Trigger ZFS dedup one-off scan/rededup
How do I add additional databases to my mysql replication slave (read-only)?
How to execute a system-wide script upon any ssh login (with OpenSSH)?
Has anyone benchmarked apache compiled from source vs installed using package manager?
Nginx & PHP caching: fastcgi_cache, proxy_cache, APC or memcached or combo?
Apache load balancing when the session id is in url
Any tips on wiring up a laptop cart?
Add Keypair to existing EC2 instance
Does virtual hard disk fragmentation reported by a guest machine matter?
Can't edit apache2.2 httpd.conf on Windows 7