Home / server / Questions / 805818
Accepted
yael
Asked: 2016-09-29 01:40:35 +0800 CST

is it possible to ignore banner on ssh but not from login

  • 772

As we all know, we can type banner in /etc/motd or in the file /etc/issue.net, so every user that login to the Linux machine will get the banner message, for example:

Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel \r on an \m
##########################################################################
#                               Welcome to OBAMA house !!!
#                         All connections are monitored and recorded
#                Disconnect IMMEDIATELY if you are not an authorized user!
#
##########################################################################

The problem is that the banner is displayed also when we login remotely via ssh to the Linux machines (as opposed to login locally).

We can simply ignore the banner in the ssh by using the flag -q as the following:

ssh -q  192.19.23.45 ls /hillary_emails

In fact we have more then ~100 Bash and Perl scripts that use ssh, so if we add banners to all the machines we need to change also the scripts that use the ssh command, by adding the flag -q (silent mode).

We prefer not to edit the scripts, due to internal reasons. So my question is, is it possible to change the Linux client configuration in a way the banner will display only on local logins, and not display when login remotely by ssh?

linux redhat bash operating-system banner

3 Answers

  1. I think the SSHD option PrintMotd no can help you. Add it in /etc/ssh/sshd_config. The doc says : 

    PrintMotd
             Specifies whether sshd(8) should print /etc/motd when a user logs in interactively.  (On some systems it is also
             printed by the shell, /etc/profile, or equivalent.)  The default is “yes”.
    • 2
  2. Best Answer

    You can create a group and add the relevant users to that group:

    groupadd nobanner
usermod -a -G nobanner username

    Then, you can edit /etc/ssh/sshd_config and add the following:

    Match Group nobanner
    banner "none"

    Then, restart sshd and test it.

    Match   Introduces a conditional block.  If all of the criteria on the Match 
        line are satisfied, the keywords on the following lines override those 
        set in the global section of the config file, until either another Match 
        line or the end of the file.

        The arguments to Match are one or more criteria-pattern pairs.  The 
        available criteria are User, Group, Host, and Address.  The match 
        patterns may consist of single entries or comma-separated lists and may 
        use the wildcard and negation operators described in the PATTERNS 
        section of ssh_config(5).
    • 2

  3. The message of the day should not be displayed in non-interactive sessions. For example when you run ssh 192.19.23.45 ls, that non-interactively runs commands, and the message of the day ("motd") is should not be displayed.

    The same applies to any Bash or Perl (or whatever other) scripts that use ssh. Scripts will always perform tasks in non-interactive mode, and the message of the day should not be displayed.

    If you find the contrary in your system, that would be some sort of misconfiguration that we can try to debug, but it's not the default behavior.

    So if your main concern is scripts, then there is nothing to worry about. If you don't want the message of the day displayed for users who login remotely with ssh, that's a different matter, and the existing answers may help. (But I consider that request a bit strange: I don't see why you wouldn't want to show the message to users (non-scripts), in their interactive remote sessions.)

    • 0