Re: Re: motd handling in jessie
Russ Allbery wrote:
> Josh Triplett <firstname.lastname@example.org> writes:
> > But not the Debian default. Debian defaults to "UsePAM yes" and
> > "PrintMotd no", and uses PAM to print the motd.
> Right, which I think is a bad idea, for the reasons stated earlier in this
> thread. :) I think the way to go here is to use the update-motd.d stuff
> to generate an MOTD file at boot, remove pam_motd from our default
> configuration, and go back to the upstream sshd default of displaying the
> MOTD file on login. It reduces our divergence from upstream and reduces
> the complexity of code that we're running during a security-critical code
I certainly agree that we shouldn't spawn update-motd.d from PAM at login time.
However, I don't think "run a pile of scripts to write out a dynamic
MOTD at boot time" is a sensible default, either. I'd suggest putting
update-motd and update-motd.d into a separate, optional package that
users can install if they really want it, and using either static files
or /etc/issue escape sequences as the default to avoid running
*anything* at either boot or login time.
> If you log in with public key authentication, does it even show
> anything? I bet it doesn't.
It does, actually, right next to the time of last login.
- Josh Triplett