Bug 1591381 - Please include pam_motd
Summary: Please include pam_motd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1584167
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-14 15:10 UTC by Martin Pitt
Modified: 2018-07-08 17:09 UTC (History)
10 users (show)

Fixed In Version: openssh-7.7p1-5.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-29 09:37:52 UTC


Attachments (Terms of Use)

Description Martin Pitt 2018-06-14 15:10:38 UTC
Description of problem: pam_motd recently gained support for an /etc/motd.d/ directory [1]. This is useful for admins and packages to get important information to users who log in, and it's massively more flexible than the old static /etc/motd file. I. e. services can generate motd snippets in /run on demand and symlink them to /etc/motd.d/.

Cockpit has started producing a /etc/motd.d/cockpit file. But it's not shown for ssh logins right now as nothing in /etc/pam.d/ includes pam_motd.

It was found that it's not appropriate to add that to pam.d/postlogin, as that also runs for e. g. sudo and su, and thus causes too much spam.

This was recently discussed on server@. Start of thread [2], Conclusion [3]. In short, this will replace the old static Cockpit message in /etc/issue, which was  wrong (didn't react to running vs. disabled) and not very user friendly (showing raw IPv6 addresses, for example).

Can you please include

    session optional pam_motd.so

into /etc/pam.d/sshd? (No further arguments, as that disables motd.d support).

Thanks!


[1] https://github.com/linux-pam/linux-pam/pull/48
[2] https://lists.fedoraproject.org/archives/list/server%40lists.fedoraproject.org/thread/55SWJA6ERCC3ZPAGEQFJK5EGAXTFX7OJ/
[3] https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org/message/HZKVNY2C2DMOCKRLLBL6YR3V4L5BY2SR/

Comment 1 Martin Pitt 2018-06-14 15:19:32 UTC
The part about cleaning up /etc/issue is  bug 1591389.

Comment 2 Stephen Gallagher 2018-06-14 15:29:39 UTC
Please see https://src.fedoraproject.org/rpms/openssh/pull-request/3 for the change we request.

Comment 3 Jakub Jelen 2018-06-15 09:02:03 UTC
The PR is merged. I will build and update the package in Fedora 28 soon.

Comment 4 Fedora Update System 2018-06-27 13:24:35 UTC
openssh-7.7p1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-73801e68f3

Comment 5 Fedora Update System 2018-06-28 15:04:33 UTC
openssh-7.7p1-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-73801e68f3

Comment 6 Fedora Update System 2018-06-29 08:43:12 UTC
openssh-7.7p1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Sammy 2018-06-30 12:14:50 UTC
With this included /etc/motd is printed twice when login in remotely using
ssh. Commenting the motd line  /etc/pam.d/sshd goes back to correct behavior.

Comment 8 Martin Pitt 2018-06-30 14:41:06 UTC
@Sammy: Where else is pam_motd included for you? Please copy the output of "grep -r motd /etc/pam.d" here.

Comment 9 Sammy 2018-06-30 18:10:46 UTC
Here it is but obviously motd was already printing before this addition
to openssh.

# grep -r motd /etc/pam.d
/etc/pam.d/sshd:session    optional     pam_motd.so

Comment 10 Martin Pitt 2018-07-01 18:50:07 UTC
@Sammy: This isn't so obvious - the only place you have where pam_motd is configured is the expected one that was added in this bug report. Do you perhaps mean showing /etc/issue? This should go away and is being tracked in bug 1591389.

Comment 11 Sammy 2018-07-01 22:01:29 UTC
First, I have a /etc/motd that is custom edited to show the details of the
machine (just filled with specific text). This was always printing when we
ssh into systems BEFORE the change introduced in this bug report. With the
pam_motd it prints it twice when I log in.

When I look into sshd_config I see that PrintMotd was set to yes by default.
If I make this "no" and uncomment the line in /etc/pam.d/sshd then I only
get one motd shown on login. What was printing motd before the above change?

Comment 12 Sammy 2018-07-01 22:42:34 UTC
Here is how the double output looks like:


                    VU Computational Nuclear Theory

        System:         Dell Precision T7610n
        OpeSys:         Fedora Core 28+
        Memory:         64 GB
        DiskSp:         500 GB
  ____________________________________________________________________________
Last failed login: Sun Jul  1 17:05:22 CDT 2018 from 129.59.141.54 on ssh:notty
There were 60 failed login attempts since the last successful login.
Last login: Fri Jun 29 07:32:01 2018 from 129.59.116.43

                    VU Computational Nuclear Theory

        System:         Dell Precision T7610n
        OpeSys:         Fedora Core 28+
        Memory:         64 GB
        DiskSp:         500 GB
  ____________________________________________________________________________

Comment 13 Stephen Gallagher 2018-07-01 23:12:41 UTC
(In reply to Sammy from comment #12)
> Here is how the double output looks like:

Is it possible that you have a custom login shell that might be separately displaying the /etc/motd as part of its startup experience? Maybe someone added a display of the MOTD to /etc/profile or /etc/bashrc?

Comment 14 Sammy 2018-07-01 23:31:58 UTC
Noting obvious. I manage all of our systems. Are you telling me that motd
was never supposed to print during ssh login before this change? It has been
printing for me since the beginning of time!

If I do "grep -r motd *" int /etc:
pam.d/sshd:session    optional     pam_motd.so
Binary file selinux/targeted/contexts/files/file_contexts.homedirs.bin matches
selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]+/\.ircmotd    --      unconfined_u:object_r:irc_home_t:s0
Binary file selinux/targeted/policy/policy.31 matches

I also don't have anything in .bashrc etc.

Comment 15 Stephen Gallagher 2018-07-01 23:37:47 UTC
Do you have `PrintMotd yes` set in your /etc/ssh/sshd_config file? That's not enabled by default on Fedora...

Comment 16 Sammy 2018-07-01 23:39:31 UTC
No, it is commented but suggesting the default is yes:

#PrintMotd yes

Comment 17 Jakub Jelen 2018-07-02 07:26:42 UTC
The thing is that by default, the /etc/motd is empty so nothing is printed when the PrintMotd is yes in sshd_config by default (that is read separately by sshd). There are various mechanisms to support dynamic motd (sshd itself does not support that), such as pam_motd, which should be preferred from now on and that indeed have its drop in directory for the static information you might want to show on login.


This already landed in Fedora 28 based on the request from cockpit team so the question now is if we should disable the PrintMotd in sshd_config by default or if there will be some other possibility to return the behavior to some sane one.

Comment 18 Martin Pitt 2018-07-02 08:10:34 UTC
@Jakub: IMHO pam_motd is a more general and more easily extendable solution, so disabling `PrintMotd` by default sounds right.

Comment 19 Jakub Jelen 2018-07-02 16:03:37 UTC
But in that way, it might become more confusing than before, given that there is PrintMotd option, it is disabled, but it still prints the motd from pam. Sigh ...

Comment 20 Martin Pitt 2018-07-02 18:50:05 UTC
Could this say something like

# Already shown through pam_motd in /etc/pam.d/ssh
# PrintMotd yes

so that admins see what's going on?

Comment 21 Stephen Gallagher 2018-07-02 18:57:45 UTC
(In reply to Martin Pitt from comment #20)
> Could this say something like
> 
> # Already shown through pam_motd in /etc/pam.d/ssh
> # PrintMotd yes
> 
> so that admins see what's going on?

I think Martin has the right idea here. I think it would be best for Fedora if we:
1) Changed the default to be `PrintMotd no`
2) Change the comment in the sshd_config to be:
# It is recommended to use pam_motd in /etc/pam.d/ssh instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
# PrintMotd no

Comment 22 Jakub Jelen 2018-07-03 10:39:45 UTC
That sounds reasonable. Thank you for ideas. I will update openssh with the new configuration file.

Comment 23 Fedora Update System 2018-07-03 11:15:06 UTC
openssh-7.7p1-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-277b887f76

Comment 24 Fedora Update System 2018-07-04 18:20:10 UTC
openssh-7.7p1-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-277b887f76

Comment 25 Fedora Update System 2018-07-06 16:43:47 UTC
openssh-7.7p1-5.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 26 Ralf Ertzinger 2018-07-08 07:52:44 UTC
This still fails for me:

[sun ethan ~ :) 10]$ rpm -q openssh-server
openssh-server-7.7p1-5.fc28.x86_64
[sun ethan ~ :) 11]$ sudo grep -i motd /etc/ssh/sshd_config
[sun ethan ~ :( (1) 12]$ sudo sshd -T | grep -i motd
printmotd yes

Comment 27 Sammy 2018-07-08 13:41:11 UTC
Do you have sshd_config.rpmnew? When I updated the systems with unchanged
sshd_config were replaced but the one I made manual change was not replaced
but instead sshd_config.rpmnew was created (as it should).

Comment 28 Ralf Ertzinger 2018-07-08 16:47:17 UTC
My sshd_config is custom, and does not set PrintMotd one way or another, and never has.

My understanding of the discussion so far was that if not set in the config PrintMotd would default to "No" in openssh-server-7.7p1-5.fc28.x86_64, which isn't the case.

Comment 29 Sammy 2018-07-08 17:09:51 UTC
No, in the new sshd_config PrintMotd is explicitly set to "no". If you have
a custom sshd_config then there should be a rpmnew there. So, you need to
set "PrintMotd no" in your config file. I presume they prefer to control
the behavior with sshd_config file rather than patching the source. The
default from the source seems to be "yes".


Note You need to log in before you can comment on or make changes to this bug.