Description of problem: pam_motd recently gained support for an /etc/motd.d/ directory [1]. This is useful for admins and packages to get important information to users who log in, and it's massively more flexible than the old static /etc/motd file. I. e. services can generate motd snippets in /run on demand and symlink them to /etc/motd.d/. Cockpit has started producing a /etc/motd.d/cockpit file. But it's not shown for ssh logins right now as nothing in /etc/pam.d/ includes pam_motd. It was found that it's not appropriate to add that to pam.d/postlogin, as that also runs for e. g. sudo and su, and thus causes too much spam. This was recently discussed on server@. Start of thread [2], Conclusion [3]. In short, this will replace the old static Cockpit message in /etc/issue, which was wrong (didn't react to running vs. disabled) and not very user friendly (showing raw IPv6 addresses, for example). Can you please include session optional pam_motd.so into /etc/pam.d/sshd? (No further arguments, as that disables motd.d support). Thanks! [1] https://github.com/linux-pam/linux-pam/pull/48 [2] https://lists.fedoraproject.org/archives/list/server%40lists.fedoraproject.org/thread/55SWJA6ERCC3ZPAGEQFJK5EGAXTFX7OJ/ [3] https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org/message/HZKVNY2C2DMOCKRLLBL6YR3V4L5BY2SR/
The part about cleaning up /etc/issue is bug 1591389.
Please see https://src.fedoraproject.org/rpms/openssh/pull-request/3 for the change we request.
The PR is merged. I will build and update the package in Fedora 28 soon.
openssh-7.7p1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-73801e68f3
openssh-7.7p1-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-73801e68f3
openssh-7.7p1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
With this included /etc/motd is printed twice when login in remotely using ssh. Commenting the motd line /etc/pam.d/sshd goes back to correct behavior.
@Sammy: Where else is pam_motd included for you? Please copy the output of "grep -r motd /etc/pam.d" here.
Here it is but obviously motd was already printing before this addition to openssh. # grep -r motd /etc/pam.d /etc/pam.d/sshd:session optional pam_motd.so
@Sammy: This isn't so obvious - the only place you have where pam_motd is configured is the expected one that was added in this bug report. Do you perhaps mean showing /etc/issue? This should go away and is being tracked in bug 1591389.
First, I have a /etc/motd that is custom edited to show the details of the machine (just filled with specific text). This was always printing when we ssh into systems BEFORE the change introduced in this bug report. With the pam_motd it prints it twice when I log in. When I look into sshd_config I see that PrintMotd was set to yes by default. If I make this "no" and uncomment the line in /etc/pam.d/sshd then I only get one motd shown on login. What was printing motd before the above change?
Here is how the double output looks like: VU Computational Nuclear Theory System: Dell Precision T7610n OpeSys: Fedora Core 28+ Memory: 64 GB DiskSp: 500 GB ____________________________________________________________________________ Last failed login: Sun Jul 1 17:05:22 CDT 2018 from 129.59.141.54 on ssh:notty There were 60 failed login attempts since the last successful login. Last login: Fri Jun 29 07:32:01 2018 from 129.59.116.43 VU Computational Nuclear Theory System: Dell Precision T7610n OpeSys: Fedora Core 28+ Memory: 64 GB DiskSp: 500 GB ____________________________________________________________________________
(In reply to Sammy from comment #12) > Here is how the double output looks like: Is it possible that you have a custom login shell that might be separately displaying the /etc/motd as part of its startup experience? Maybe someone added a display of the MOTD to /etc/profile or /etc/bashrc?
Noting obvious. I manage all of our systems. Are you telling me that motd was never supposed to print during ssh login before this change? It has been printing for me since the beginning of time! If I do "grep -r motd *" int /etc: pam.d/sshd:session optional pam_motd.so Binary file selinux/targeted/contexts/files/file_contexts.homedirs.bin matches selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]+/\.ircmotd -- unconfined_u:object_r:irc_home_t:s0 Binary file selinux/targeted/policy/policy.31 matches I also don't have anything in .bashrc etc.
Do you have `PrintMotd yes` set in your /etc/ssh/sshd_config file? That's not enabled by default on Fedora...
No, it is commented but suggesting the default is yes: #PrintMotd yes
The thing is that by default, the /etc/motd is empty so nothing is printed when the PrintMotd is yes in sshd_config by default (that is read separately by sshd). There are various mechanisms to support dynamic motd (sshd itself does not support that), such as pam_motd, which should be preferred from now on and that indeed have its drop in directory for the static information you might want to show on login. This already landed in Fedora 28 based on the request from cockpit team so the question now is if we should disable the PrintMotd in sshd_config by default or if there will be some other possibility to return the behavior to some sane one.
@Jakub: IMHO pam_motd is a more general and more easily extendable solution, so disabling `PrintMotd` by default sounds right.
But in that way, it might become more confusing than before, given that there is PrintMotd option, it is disabled, but it still prints the motd from pam. Sigh ...
Could this say something like # Already shown through pam_motd in /etc/pam.d/ssh # PrintMotd yes so that admins see what's going on?
(In reply to Martin Pitt from comment #20) > Could this say something like > > # Already shown through pam_motd in /etc/pam.d/ssh > # PrintMotd yes > > so that admins see what's going on? I think Martin has the right idea here. I think it would be best for Fedora if we: 1) Changed the default to be `PrintMotd no` 2) Change the comment in the sshd_config to be: # It is recommended to use pam_motd in /etc/pam.d/ssh instead of PrintMotd, # as it is more configurable and versatile than the built-in version. # PrintMotd no
That sounds reasonable. Thank you for ideas. I will update openssh with the new configuration file.
openssh-7.7p1-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-277b887f76
openssh-7.7p1-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-277b887f76
openssh-7.7p1-5.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
This still fails for me: [sun ethan ~ :) 10]$ rpm -q openssh-server openssh-server-7.7p1-5.fc28.x86_64 [sun ethan ~ :) 11]$ sudo grep -i motd /etc/ssh/sshd_config [sun ethan ~ :( (1) 12]$ sudo sshd -T | grep -i motd printmotd yes
Do you have sshd_config.rpmnew? When I updated the systems with unchanged sshd_config were replaced but the one I made manual change was not replaced but instead sshd_config.rpmnew was created (as it should).
My sshd_config is custom, and does not set PrintMotd one way or another, and never has. My understanding of the discussion so far was that if not set in the config PrintMotd would default to "No" in openssh-server-7.7p1-5.fc28.x86_64, which isn't the case.
No, in the new sshd_config PrintMotd is explicitly set to "no". If you have a custom sshd_config then there should be a rpmnew there. So, you need to set "PrintMotd no" in your config file. I presume they prefer to control the behavior with sshd_config file rather than patching the source. The default from the source seems to be "yes".