Can anyone help me configure OpenSSH/PAM to display the /etc/issue warning banner on interactive ssh logins but not on non-interactive ssh sessions?
i.e.,
ssh login@machine
banner is wanted
ssh login@machine df -k
banner is NOT wanted
Currently I see the banner on all ssh sessions. The system was built from a standard JumpStart image that our company uses for lab boxes, and I don't know all the details about the original setup. I am feeling my way around the box to see how things were installed.
I realize I can kill the banner on the non-interactive stuff by redirecting stderr to /dev/null, but that is not the solution I am after.
The "Banner" line in sshd_config is currently commented out, so I believe the banner I'm seeing now (in all cases) must be coming from PAM. The system is set up to use a single pam.conf file (I think, because I can't locate any other PAM configuration stuff except this file).
In pam.conf I don't see any specific ssh config, so it must be falling back to "login" or "other". Nor do I see any calls to pam_issue, so some other module must be calling that by default. Since the banner shows up before login credentials are asked for it must be one of the first PAM modules doing this - I suspect pam_authtok_get. Per the manpage, pam_authtok_get implements pam_sm_authenticate which apparently accepts a flag PAM_SILENT, which might be what I'm after. I'm not sure.
So, how do I make what I want to do work? I've seen it done on other systems (from the user perspective, not how it was actually implemented). I am not an "officially trained" Solaris sysadm but I've been called on to maintain this lab system. I do not know much about PAM. I may be off base in where I'm looking, so I'm asking for some help.
Thanks!
Code:
#
# uname -a
SunOS tsdshire01 5.9 Generic_122300-13 sun4u sparc SUNW,Sun-Fire-V240
#
# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.4
^C
#
# grep issue /etc/profile
#
# grep issue /etc/ssh/sshd_config
#Banner /etc/issue
#
# egrep -i "^PAM" /etc/ssh/sshd_config
PAMAuthenticationViaKBDInt yes
#
# find /etc -name "*pam*" -print
/etc/pam.conf
#
# grep issue /etc/pam.conf
#
# grep ssh /etc/pam.conf
#
# egrep "^(login|other)" /etc/pam.conf
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#