Set user- or group-specific MOTD in SSH

Question

I would like to disable or change the MOTD shown on SSH login on a per-group/per-user basis. This question on SuperUser has an answer stating that I can use Match blocks in sshd_config. However, man sshd_config states:

Match
         ...
         Only a subset of keywords may be used on the lines following a
         Match keyword.  Available keywords are AcceptEnv,
         AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
         AllowUsers, AuthenticationMethods, AuthorizedKeysCommand,
         AuthorizedKeysCommandUser, AuthorizedKeysFile,
         AuthorizedPrincipalsFile, Banner, ChrootDirectory, DenyGroups,
         DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication,
         HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
         KbdInteractiveAuthentication, KerberosAuthentication,
         MaxAuthTries, MaxSessions, PasswordAuthentication,
         PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
         PermitTunnel, PubkeyAuthentication, RekeyLimit,
         RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
         X11Forwarding and X11UseLocalHost.

And I can't see anything related to MOTD in that list. And indeed, trying to use that suggestion causes sshd to fail to start because of incorrect configuration.

So, can I do this? If so, how? From the SSH configuration or by altering whatever generates/prints the MOTD?

---

Altering files in /etc/update-motd.d isn't useful, since, according to man update-motd:

   Executable  scripts in /etc/update-motd.d/* are executed by pam_motd(8)
   as the root user at each login, and this information is concatenated in
   /var/run/motd. 

(I tested this out with a script that did echo $USER. I got a root in my MOTD.)

That leaves PAM configuration. I imagine it might be possible to disable pam_motd on a per-group/user basis, but I am not sure how to do it. The last option would be to disable pam_motd altogether, and use pam_exec, but I really hope it doesn't come to that.

Answer 1

Here is an implementation on per user/group motd inspired by motd or login banner per user

First comment out:

session    optional   pam_motd.so  motd=/run/motd.dynamic
session    optional   pam_motd.so

in /etc/pam.d/login and set PrintMotd no in /etc/ssh/sshd_config

Then you could define your per user/group message script and put it in folder, for example:

sudo mkdir -p /etc/mymotd/groups
sudo mkdir -p /etc/mymotd/users

In these folders you can create executable scripts for each groups or users that prints on standard output the message of the day.

You could create /etc/profile.d/perUserGroupMotd.sh with the follow lines:

gidName=`id -gn`
if [ -e /etc/mymotd/groups/$gidName ]; then
   /etc/mymotd/groups/$gidName
else 
   if [ -e /etc/mymotd/users/$USER ]; then
      /etc/mymotd/users/$USER
   fi
fi

or you can use file to enable/disable message and than run /path/to/script -g $gidName or /path/to/script -u $USER, obviously there are many different possible implementations.

About pam_motd, at the end I found these two bug:

• pam_motd runs commands as root with unsanitised environment: this is a security hole and update-motd patch is: unset environment and manually set PATH variable.
• Multiple issues with pam_motd update-motd code: one of this multiple issues is about a missing lock on file generated by update-motd. In multi-user system, multiple concurrent access can result in corrupted motd.

For these reasons I guess is not possible to use pam_motd for your objective.

HUSHLOGIN_FILE directive in /etc/login.defs should inhibits all the usual chatter during the login sequence, so any output is suppressed even last login date.

I guess that motd is designed to reach all user in the system and because of this ssh and pam_motd simple enable or disable it for all user.