Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Disable Ubuntu dynamic login MOTD #271

Closed
ancoron opened this issue Apr 3, 2020 · 3 comments
Closed

Disable Ubuntu dynamic login MOTD #271

ancoron opened this issue Apr 3, 2020 · 3 comments
Labels
bug

Comments

@ancoron
Copy link
Contributor

ancoron commented Apr 3, 2020

Is your feature request related to a problem? Please describe.

Although I have explicitly set the following, the standard dynamic Ubuntu MOTD is still displayed upon login via SSH:

ssh_print_motd: false
ssh_print_last_log: false
ssh_banner: false
ssh_print_debian_banner: false

Example:

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux <redacted> x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Apr  3 09:09:09 UTC 2020

  System load:  0.08              Processes:           666
  Usage of /:   13.9% of 7.69GB   Users logged in:     1
  Memory usage: 15%               IP address for eth0: <redacted>
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Describe the solution you'd like

The following lines in /etc/pam.d/sshd should be commented out or removed when variable ssh_print_motd is false and the OS is Ubuntu:

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

Describe alternatives you've considered

All MOTD or banner related variables set to false.

Additional context
n/a
@rndmh3ro
Copy link
Member

rndmh3ro commented Apr 4, 2020

Thanks @ancoron, fo raising this issue and thanks to whoever thought it was a good idea to add yet another method for managing motd.
We can do this with the https://docs.ansible.com/ansible/latest/modules/pamd_module.html module. Do you want to take a stab at it?

@rndmh3ro rndmh3ro added the bug label Apr 4, 2020
@ancoron
Copy link
Contributor Author

ancoron commented Apr 9, 2020

I just tested with the pamd module (previously had a simple replace task and the following works for me:

- name: Disable dynamic MOTD
  pamd:
    name: sshd
    type: session
    control: optional
    module_path: pam_motd.so
    state: absent

@rndmh3ro
Copy link
Member

This looks good! Do you want to create a PR to add this? We'd need the when-condition on the task and put it into the hardening.yml

rndmh3ro added a commit that referenced this issue Apr 18, 2020
@rndmh3ro
Merge pull request #273 from ancoron/feature/ubuntu-dynamic-motd-banner
3de3975 
Disable also dynamic MOTD via PAM if enabled - refs #271
@ancoron ancoron closed this as completed May 13, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ancoron @rndmh3ro