[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: motd handling in jessie

Russ Allbery wrote:
> Josh Triplett <josh@joshtriplett.org> writes:
> > But not the Debian default.  Debian defaults to "UsePAM yes" and
> > "PrintMotd no", and uses PAM to print the motd.
> 
> Right, which I think is a bad idea, for the reasons stated earlier in this
> thread.  :)  I think the way to go here is to use the update-motd.d stuff
> to generate an MOTD file at boot, remove pam_motd from our default
> configuration, and go back to the upstream sshd default of displaying the
> MOTD file on login.  It reduces our divergence from upstream and reduces
> the complexity of code that we're running during a security-critical code
> path.

I certainly agree that we shouldn't spawn update-motd.d from PAM at login time.

However, I don't think "run a pile of scripts to write out a dynamic
MOTD at boot time" is a sensible default, either.  I'd suggest putting
update-motd and update-motd.d into a separate, optional package that
users can install if they really want it, and using either static files
or /etc/issue escape sequences as the default to avoid running
*anything* at either boot or login time.

> If you log in with public key authentication, does it even show
> anything?  I bet it doesn't.

It does, actually, right next to the time of last login.

- Josh Triplett
Reply to: