logo

 

This site is now 100% read-only, and retired.

Giving yourself a quieter SSH login

Posted by Steve on Fri 24 Aug 2007 at 15:13

Tags: , ,

Usually when you connect to a server remotely, via ssh, you'll be shown the "message of the day", the last time you logged in to the machine, and other details. Here's a simple way to disable that behaviour.

By default the display of the message of the day is read from the file /etc/motd - this is usually configured to happen by PAM, via a line such as this in /etc/pam.d/ssh & /etc/pam.d/login:

# Prints the motd upon succesful login
session    optional   pam_motd.so

The obvious way to disable this behaviour is to remove this from the relevant PAM file(s). However doing this will remove the behaviour from all users of the machine - which might not be appreciated.

Instead we're going to look at the file /etc/login.defs - this file contains various settings which are used by different login programs.

By default you should see this:

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE  .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins

This is our solution. If you want to have a "quiet" login then you may run this:

skx@vain:~$touch ~/.hushlogin

To show the difference in behaviours here's an example of before and after (note that I'm using SSH keys here, so there is no password prompt):

Before creating .hushlogin

skx@vain:~$ssh localhost
Linux steve 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Aug 24 09:38:52 2007 from localhost.localdomain
skx@vain:~$

After creating .hushlogin

skx@vain:~$ssh localhost
skx@vain:~$

The downside to this solution is that you might miss a message saying something like this:

Last login: Wed Aug 22 16:00:10 2007 from l33t.hax0r.some.ips

(I did once detect that an account of mine had been compromised when I noticed the previous login location was utterly unlikely to have been mine ..)

 

 

 

#
Re: Giving yourself a quieter SSH login
Posted by cparker (204.136.xx.xx) on Fri 24 Aug 2007 at 15:56
[ View Weblogs ]
What I'd actually like to be able to do is have the MOTD automatically change itself on a daily (or perhaps even per-login) basis based on the contents of a quotes file. I've been thinking of writing a fortune cookie script that would output a random fortune to the MOTD, but I'd like a seamless way to do this, possibly by changing the MOTD functionality to accept output from a script instead of just reading a file. Is this possible (without changing/recompiling source code)?

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (84.20.xx.xx) on Fri 24 Aug 2007 at 16:01
You can run 'fortune' from cron and output it to motd?

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Steve (80.68.xx.xx) on Fri 24 Aug 2007 at 16:17
[ View Weblogs ]

Run this:

cp /etc/motd /etc/motd.header

Then create /etc/cron.hourly/motd with something like this in it:

#!/bin/sh
cp /etc/motd.header /etc/motd
/usr/games/fortune >> /etc/motd

That should do the job ..

Steve

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (88.109.xx.xx) on Sat 25 Aug 2007 at 03:01
better to do:

#!/bin/sh
cp /etc/motd.header /etc/motd.new
/usr/games/fortune >> /etc/motd.new
mv /etc/motd.new/etc/motd
#EOF

this way there the new motd file is put in place atomically so three is no race condition.

(yes I'm bored!)

Anon

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (90.184.xx.xx) on Sat 25 Aug 2007 at 13:08
Got your point. But one might argue that race conditions are very rare in this environment.

Unless, of course, /usr/games/fortune executes for more than an hour ... ;-)

(This is Saturday -- I'm bored too)

-Martin

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (87.210.xx.xx) on Mon 10 Sep 2007 at 07:27
Forgive me my ignorance, for I am only a beginner...
But where exactly is the (theoretical?) race condition in the first script, and how does the second script solve this?

Thanks!
-Lucas

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (59.167.xx.xx) on Tue 25 Sep 2007 at 15:26
Also a bit of a newbie, but isn't there now the exact same race condition for /etc/motd.new as there was for /etc/motd in the first one?

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (152.43.xx.xx) on Wed 3 Oct 2007 at 22:03
Yes, but it doesn't matter; the login process reads /etc/motd, not /etc/motd.new. So while it would be possible (but extremely unlikely) to send a half-written /etc/motd to the client, with the mv you'd either send the old motd, or the new one.

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (62.89.xx.xx) on Mon 27 Aug 2007 at 15:04
To hide the message of the day there is an ssh-server option

simply

PrintMotd no

in /etc/ssh/sshd_config

polarizers 2 cents

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (59.167.xx.xx) on Tue 25 Sep 2007 at 15:28
But won't that turn off the motd for all users, rather than just the desired user?

[ Parent ]

#
Last login...
Posted by svanstrom (83.253.xx.xx) on Thu 30 Aug 2007 at 12:58
Have a look at these, and then add something suitable to .login (or whatever you're using):

man faillog
man last
man lastb
man lastlog

man chklastlog
(Part of chkrootkit.)

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by rodross (74.235.xx.xx) on Fri 7 Sep 2007 at 07:52
The implementation of various login messages I know is a feature available in NetBSD standard via ssh. I tend to use quieter clients and servers for ssh on all my debian machines. Dropbear is really nice on my smaller devices and lsh works really well for me. Great ideas above for MOTD. I tend to limit access with filters so the chances of even me logging in remotely is remote, unless the machine is on the allow list so no remote keys though I know it would make it more simple. I wonder what would happen if you enforced password aging, what kind of MOTD would you get when time ran out ?
Cheers,
Rod Ross

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (212.110.xx.xx) on Mon 4 May 2015 at 14:29
Finally, a new line still appear before my data.

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (212.110.xx.xx) on Mon 4 May 2015 at 14:48
Please remove my comment I sent some minutes before!

"Finally, a newline appears before my data"

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by cjmcgovern (68.87.xx.xx) on Wed 8 Jun 2016 at 04:15
Seems like a lot of work.
The easy way:
vi ~/.ssh/config
LogLevel ERROR
:wq

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by Anonymous (46.43.xx.xx) on Wed 8 Jun 2016 at 04:23

That doesn't do the same thing - if you're logging into a host you might see something like this

 deagol ~ $ ssh mail.example.com
 /--/etc/motd ----------------------------------------------------------------\ 
 |                                                                            |
 |  This is the machine        mail.example.com                               |
 |                                                                            |
 \-------------------------------------------------<deployed via slaughter > -/

 No mail.
 Last login: Wed Jun  8 04:19:05 2016 from 2001:0:53aa:64c:14eb:1fbc:b73e:3120/32

Changing the local LogLevel on your client will not prevent the server from /etc/motd, showing your last login time, etc.

[ Parent ]

#
Re: Giving yourself a quieter SSH login
Posted by cjmcgovern (68.87.xx.xx) on Wed 8 Jun 2016 at 05:12
It suppresses the MOTD on all of the machines where I work

[ Parent ]