5

I have a warning message that is displayed to a user after they enter their username to log in to our Linux servers. I only want to display this message for password authentications, and not when keys are used. It should only show to a user who is logging into a host, and not when they are sshing from one host to another (our hosts all have keys set up so we can ssh from one to another without entering passwords).

Currently, I have a line for Banner in the /etc/ssh/sshd_config file which points to a text file containing the warning message. Banner doesn't appear to have any further config options, so I'm wondering if there is a way to do this with pam or some other mechanism? Thanks.

Improve this question

2 Answers 2

Reset to default
7

Yes, you can use the pam_echo plugin:

auth required pam_unix.so
auth optional pam_echo.so file=/etc/ssh/password_banner.txt

This should produce the pam_echo output after password login.

See http://www.linux-pam.org/Linux-PAM-html/sag-pam_echo.html for docs.

Edit: You'll also need to make sure you have UsePAM yes in your sshd_config. Replaced password with auth.

Improve this answer
3
  • 2
    This needs to use the auth type, not password.
    – u1686_grawity
    Commented Jun 9, 2010 at 15:06
  • that's perfect, thanks. I put those 2 lines in /etc/pam.d/sshd and used auth instead of password. Is there a better place to add these 2 lines?
    – Banjer
    Commented Jun 9, 2010 at 15:43
  • Unfortunately my SLES 9 servers do not have the pam_echo.so module installed (only SLES 10+ seems to have it). Any ideas where I can download this module?
    – Banjer
    Commented Jun 9, 2010 at 16:57
0

I only want to display this message for password authentications, and not when keys are used. It should only show to a user who is logging into a host, and not when they are sshing from one host to another (our hosts all have keys set up so we can ssh from one to another without entering passwords).

Are you talking about user keys ~/.ssh/authorized_keys or host keys /etc/ssh/ssh_known_hosts?

Currently, I have a line for Banner in the /etc/ssh/sshd_config file which points to a text file containing the warning message.

Banner is displayed before any authentication happens.

I'm wondering if there is a way to do this with pam or some other mechanism?

You can try checking the remote (source) hostname: check with pam_access if the user comes from outside your network:

session [success=1 default=ignore] pam_access.so accessfile=/etc/pam_access_localnet.conf
session optional pam_echo.so file=/etc/notice

/etc/pam_access_localnet.conf:

+ : ALL : 192.168.201.0/24
- : ALL : ALL
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .