I would like to disable or change the MOTD shown on SSH login on a per-group/per-user basis. This question on SuperUser has an answer stating that I can use Match
blocks in sshd_config
. However, man sshd_config
states:
Match
...
Only a subset of keywords may be used on the lines following a
Match keyword. Available keywords are AcceptEnv,
AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
AuthorizedKeysCommandUser, AuthorizedKeysFile,
AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
KbdInteractiveAuthentication, KerberosAuthentication,
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
PermitTunnel, PubkeyAuthentication, RekeyLimit,
RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
X11Forwarding and X11UseLocalHost.
And I can't see anything related to MOTD in that list. And indeed, trying to use that suggestion causes sshd
to fail to start because of incorrect configuration.
So, can I do this? If so, how? From the SSH configuration or by altering whatever generates/prints the MOTD?
Altering files in /etc/update-motd.d
isn't useful, since, according to man update-motd
:
Executable scripts in /etc/update-motd.d/* are executed by pam_motd(8)
as the root user at each login, and this information is concatenated in
/var/run/motd.
(I tested this out with a script that did echo $USER
. I got a root
in my MOTD.)
That leaves PAM configuration. I imagine it might be possible to disable pam_motd
on a per-group/user basis, but I am not sure how to do it. The last option would be to disable pam_motd
altogether, and use pam_exec
, but I really hope it doesn't come to that.
Here is an implementation on per user/group motd inspired by motd or login banner per user
First comment out:
in
/etc/pam.d/login
and setPrintMotd no
in/etc/ssh/sshd_config
Then you could define your per user/group message script and put it in folder, for example:
In these folders you can create executable scripts for each groups or users that prints on standard output the message of the day.
You could create
/etc/profile.d/perUserGroupMotd.sh
with the follow lines:or you can use file to enable/disable message and than run
/path/to/script -g $gidName
or/path/to/script -u $USER
, obviously there are many different possible implementations.About
pam_motd
, at the end I found these two bug:update-motd
patch is: unset environment and manually setPATH
variable.update-motd
. In multi-user system, multiple concurrent access can result in corrupted motd.For these reasons I guess is not possible to use
pam_motd
for your objective.HUSHLOGIN_FILE
directive in/etc/login.defs
should inhibits all the usual chatter during the login sequence, so any output is suppressed even last login date.I guess that motd is designed to reach all user in the system and because of this
ssh
andpam_motd
simple enable or disable it for all user.