Re: motd handling in jessie
Russ Allbery wrote:
> Josh Triplett <firstname.lastname@example.org> writes:
> > However, I don't think "run a pile of scripts to write out a dynamic
> > MOTD at boot time" is a sensible default, either.
> Why not?
> > I'd suggest putting update-motd and update-motd.d into a separate,
> > optional package that users can install if they really want it, and
> > using either static files or /etc/issue escape sequences as the default
> > to avoid running *anything* at either boot or login time.
> This desire to avoid running something at boot is mystifying to me. Since
> when do we try to avoid running things at boot, and why would we? It's
> not like this is going to add any appreciable delay to boot time (and
> that's not a huge concern anyway).
One more (set of) shell scripts spawned at boot time adds incremental
complexity, fragility, and yes, a small amount of delay. It might not
matter much if you're spending 60 seconds booting a server; on the other
hand, with client boot times currently at a few seconds without any
optimization, <1s with a little work, and hopefully heading even lower,
spawning off even one more instance of /bin/sh than needed (along with
miscellaneous other programs invoked from a shell script) seems worth
> >> If you log in with public key authentication, does it even show
> >> anything? I bet it doesn't.
> > It does, actually, right next to the time of last login.
> Ah, then its man page is wrong.
> pam_issue is a PAM module to prepend an issue file to the username
Sorry, in my response to your question, I thought you were talking about
sshd's current Debian default to use PAM and to display the motd through
pam_motd, which it does do even for non-password login. I have not
tested pam_issue with sshd.
> If it's instead a different variation on pam_motd, that's better. But I
> think it would still be even better to make the login flow as stupid and
> simple as possible, not do a bunch of dynamic string expansion in C.
Bearing in mind that both the issue file and all of the values available
for string expansion come from trusted sources, that doesn't seem
particularly concerning. Definitely seems simpler and less fragile than
either update-motd.d or spawning a separate uname process.
- Josh Triplett