/etc/issue banner on ssh logins

haertig · 02-09-2008, 03:01 PM

Can anyone help me configure OpenSSH/PAM to display the /etc/issue warning banner on interactive ssh logins but not on non-interactive ssh sessions?

i.e.,

ssh login@machine
banner is wanted

ssh login@machine df -k
banner is NOT wanted

Currently I see the banner on all ssh sessions. The system was built from a standard JumpStart image that our company uses for lab boxes, and I don't know all the details about the original setup. I am feeling my way around the box to see how things were installed.

I realize I can kill the banner on the non-interactive stuff by redirecting stderr to /dev/null, but that is not the solution I am after.

The "Banner" line in sshd_config is currently commented out, so I believe the banner I'm seeing now (in all cases) must be coming from PAM. The system is set up to use a single pam.conf file (I think, because I can't locate any other PAM configuration stuff except this file).

In pam.conf I don't see any specific ssh config, so it must be falling back to "login" or "other". Nor do I see any calls to pam_issue, so some other module must be calling that by default. Since the banner shows up before login credentials are asked for it must be one of the first PAM modules doing this - I suspect pam_authtok_get. Per the manpage, pam_authtok_get implements pam_sm_authenticate which apparently accepts a flag PAM_SILENT, which might be what I'm after. I'm not sure.

So, how do I make what I want to do work? I've seen it done on other systems (from the user perspective, not how it was actually implemented). I am not an "officially trained" Solaris sysadm but I've been called on to maintain this lab system. I do not know much about PAM. I may be off base in where I'm looking, so I'm asking for some help.

Thanks!

Code:

#
# uname -a
SunOS tsdshire01 5.9 Generic_122300-13 sun4u sparc SUNW,Sun-Fire-V240
#
# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.4
^C
#
# grep issue /etc/profile
#
# grep issue /etc/ssh/sshd_config
#Banner /etc/issue
#
# egrep -i "^PAM" /etc/ssh/sshd_config
PAMAuthenticationViaKBDInt yes
#
# find /etc -name "*pam*" -print
/etc/pam.conf
#
# grep issue /etc/pam.conf
#
# grep ssh /etc/pam.conf
#
# egrep "^(login|other)" /etc/pam.conf
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#