Modify the system banner

Author: KevinDKinsey

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


Concept

Be aware of the banner(s) that may be seen depending on how a user accesses a system and which files are used to configure each banner.

Introduction

Various banners and welcome messages are available to introduce a BSD system and to possibly share news, system policies, or important announcements. Among these are:

  • "Getty" message - this appears prior to the "login" prompt on a local terminal. It defaults to:

    \r\n%s/%m (%h) (%t)\r\n\r\n

    and is described in gettytab(5). An example appears below.

  • "Message of the Day" - This is generally shown after a successful login. The content is usually that of the file /etc/motd. In Free- and NetBSD, you can change the file to be shown in /etc/login.conf with the "welcome" directive. The administrator for the system modifies this file. In "ancient" times, this file was used as a 'bulletin board' for all system users; since most machine have very few terminal users these days, this file isn't changed (or read) as often as it once was.

  • "Copyright" - Some variants show the BSD /COPYRIGHT file upon login. This may be configured from login.conf as well.

  • "SSH Banner" - You may be greeted (or warned!) by a special "banner" message when sshd prompts you for your login credentials. In days past this message may have announced the name and OS of the system you were connecting to. In the present day, many times it displays a "legal warning", instead --- but only a lawyer can tell you if the message bears any actual legal weight. This message is configured within /etc/ssh/sshd_config with the "Banner" directive. See Configure an SSH server according to a set of requirements for more information. A sample appears below. You can also configure sshd to suppress the MOTD.

  • "Shell Cruft" (for lack of a better name). Some administrators or users set up additional output-producing directives in ~/.login --- an example, on FreeBSD, is the invocation of fortune(6) using the "freebsd-tips" database. An example is below.

TODO: telnetd uses standard login??

Examples

Gettytab's "banner":

""NetBSD/i386 (foo.example.com) (ttyv0)

""login:

The first part of the "stock" FreeBSD MOTD:

""Welcome to FreeBSD!

""Before seeking technical support, please use the following resources:

""o Security advisories and updated errata information for all releases are "" at http://www.FreeBSD.org/releases/ - always consult the ERRATA section "" for your release first as it's updated frequently.

""o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and, "" along with the mailing lists, can be searched by going to "" http://www.FreeBSD.org/search/. If the doc distribution has "" been installed, they're also available formatted in /usr/share/doc.

A sample ssh login, displaying a banner (of the "warning" type):

""$ ssh me@somehost

"" * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * ""THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ""ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
""PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR ""OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, ""DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES ""AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
""NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO ""MONITORING AND AUDITING.

""Password:

After logging in and the display of the MOTD, FreeBSD systems often display a "tip":

""To erase a line you've written at the command prompt, use "Ctrl-U". "" -- Dru <genesis@istar.ca>

Practice Exercises

  1. View your /etc/motd file.
  2. Configure sshd to display a message prior to logging in, or to suppress the display of the system MOTD afterwards.

More information

motd(5), login.conf(5), gettytab(5), sshd_config(5)