SSH MOTD per user

ssh linux motd banner

I want to display banner (welcome message) for SSH users with a specific welcome message for each user.


Solution 1:

You did not specify, what SSH server are you using. I'm assuming OpenSSH.

Note that the SSH banner and the MOTD are two different things.

While almost indistinguishable in an SSH terminal, they have a different behavior, for example, in an SFTP client.

The MOTD is just a text printed on an interactive terminal. So, it won't (and cannot) be sent to SFTP clients, for example (more about that later).

The MOTD is hard-coded to the /etc/motd in OpenSSH. You can turn it on/off globally only, using the PrintMotd directive.

On some Linux systems, however, the PrintMotd is always off and the MOTD is printed by the PAM stack instead (using the pam_motd module). In this case you can turn it off via the /etc/pam.d/sshd or specify a custom motd= path as a module parameter.

The SSH banner is a special SSH 2.0 feature, sent in a specific SSH packet (SSH2_MSG_USERAUTH_BANNER).

As such, even non-terminal clients, like SFTP clients, can process it and display to user. See how the banner displays in WinSCP SFTP/SCP client for example.

The SSH banner is configurable per user (or group or other criteria) in the sshd_config using the Banner and the Match directives:

Match User username1
    Banner /etc/banner_user1

Match User username2
    Banner /etc/banner_user2

See also Disable ssh banner for specific users or ips.

Of course, you can also use a custom implementation for the message/banner. Simply print a message selected using your custom logic from a global profile script.

As with the MOTD, this won't work for non-interactive sessions (the SFTP and alike).

More importantly, not only it won't work, you need to make sure that you print the message for an interactive terminal only. What OpenSSH does automatically for the /etc/motd. Either use a global profile script that executes for an interactive terminal only, or print the message conditionally based on value of the TERM environment variable.

If you print the message for non-interactive session, you break any client that uses a strict protocol, such as the SFTP or the SCP, as the client will try to interpret your text message as a protocol message, failing badly.

See for example description of such issue in documentation of WinSCP SFTP/SCP client.

(I'm the author of WinSCP)

Solution 2:

You can use "$HOME/.ssh/rc" file too for archive what you want to do

echo "echo Hello World" > /home/pluto/.ssh/rc
ssh pluto@localhost
Last login: Thu Dec 18 08:46:16 2014 from localhost.localdomain
Hello World

So, you can have one ssh rc for every user.

Related

mount.nfs: access denied by server while mounting
Why do rack switches have their ports on the front?
Adding a user to the local Administrator group using powershell
How do I setup an FTP server on Windows 7?
ack-grep to ack in ubuntu
What have you done, as a system administrator, for ecology? [closed]
Is it possible to trace the delegation path for a DNS lookup?
Can I send my server to a data center?
How does the HTTP GET method work in relation to DNS protocol?
Plugging in a server rack with UPSes into a room that has its own UPS backup issues
Mounting a server by only its ears?
Run multiple servers on the same port