Re: motd handling in jessie
Josh Triplett <josh@joshtriplett.org> writes:
> But not the Debian default. Debian defaults to "UsePAM yes" and
> "PrintMotd no", and uses PAM to print the motd.
Right, which I think is a bad idea, for the reasons stated earlier in this
thread. :) I think the way to go here is to use the update-motd.d stuff
to generate an MOTD file at boot, remove pam_motd from our default
configuration, and go back to the upstream sshd default of displaying the
MOTD file on login. It reduces our divergence from upstream and reduces
the complexity of code that we're running during a security-critical code
path.
> In any case, the /etc/issue escapes have a major advantage over every
> other solution thus-far proposed: they don't actually involve running
> any extra programs, ever. Not at boot, not periodically, and not at
> login time. Instead, whatever processes /etc/issue (either agetty or
> pam_issue) just runs an extra syscall to obtain uname information, and
> prints it. (And note that Debian's default /etc/issue *already* prints
> one such piece of information.)
And has the disadvantage that it doesn't print the MOTD. It wedges a
bunch of extra stuff into the login prompt, at least according to the man
page for pam_issue. If you log in with public key authentication, does it
even show anything? I bet it doesn't.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: