Set user- or group-specific MOTD in SSH
I would like to disable or change the MOTD shown on SSH login on a per-group/per-user basis. This question on SuperUser has an answer stating that I can use Match
blocks in sshd_config
. However, man sshd_config
states:
Match
...
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AcceptEnv,
AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
AuthorizedKeysCommandUser, AuthorizedKeysFile,
AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
KbdInteractiveAuthentication, KerberosAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
PermitTunnel, PubkeyAuthentication, RekeyLimit,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
X11Forwarding and X11UseLocalHost.
And I can't see anything related to MOTD in that list. And indeed, trying to use that suggestion causes sshd
to fail to start because of incorrect configuration.
So, can I do this? If so, how? From the SSH configuration or by altering whatever generates/prints the MOTD?
Altering files in /etc/update-motd.d
isn't useful, since, according to man update-motd
:
Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8)
as the root user at each login, and this information is concatenated in
/var/run/motd.
(I tested this out with a script that did echo $USER
. I got a root
in my MOTD.)
That leaves PAM configuration. I imagine it might be possible to disable pam_motd
on a per-group/user basis, but I am not sure how to do it. The last option would be to disable pam_motd
altogether, and use pam_exec
, but I really hope it doesn't come to that.
Here is an implementation on per user/group motd inspired by motd or login banner per user
First comment out:
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so
in /etc/pam.d/login
and set PrintMotd no
in /etc/ssh/sshd_config
Then you could define your per user/group message script and put it in folder, for example:
sudo mkdir -p /etc/mymotd/groups
sudo mkdir -p /etc/mymotd/users
In these folders you can create executable scripts for each groups or users that prints on standard output the message of the day.
You could create /etc/profile.d/perUserGroupMotd.sh
with the follow lines:
gidName=`id -gn`
if [ -e /etc/mymotd/groups/$gidName ]; then
/etc/mymotd/groups/$gidName
else
if [ -e /etc/mymotd/users/$USER ]; then
/etc/mymotd/users/$USER
fi
fi
or you can use file to enable/disable message and than run /path/to/script -g $gidName
or /path/to/script -u $USER
, obviously there are many different possible implementations.
About pam_motd
, at the end I found these two bug:
-
pam_motd runs commands as root with unsanitised environment: this is a security hole and
update-motd
patch is: unset environment and manually setPATH
variable. -
Multiple issues with pam_motd update-motd code: one of this multiple issues is about a missing lock on file generated by
update-motd
. In multi-user system, multiple concurrent access can result in corrupted motd.
For these reasons I guess is not possible to use pam_motd
for your objective.
HUSHLOGIN_FILE
directive in /etc/login.defs
should inhibits all the usual chatter during the login sequence, so any output is suppressed even last login date.
I guess that motd is designed to reach all user in the system and because of this ssh
and pam_motd
simple enable or disable it for all user.