Russ Allbery wrote: > Josh Triplett <j...@joshtriplett.org> writes: > > But not the Debian default. Debian defaults to "UsePAM yes" and > > "PrintMotd no", and uses PAM to print the motd. > > Right, which I think is a bad idea, for the reasons stated earlier in this > thread. :) I think the way to go here is to use the update-motd.d stuff > to generate an MOTD file at boot, remove pam_motd from our default > configuration, and go back to the upstream sshd default of displaying the > MOTD file on login. It reduces our divergence from upstream and reduces > the complexity of code that we're running during a security-critical code > path.
I certainly agree that we shouldn't spawn update-motd.d from PAM at login time. However, I don't think "run a pile of scripts to write out a dynamic MOTD at boot time" is a sensible default, either. I'd suggest putting update-motd and update-motd.d into a separate, optional package that users can install if they really want it, and using either static files or /etc/issue escape sequences as the default to avoid running *anything* at either boot or login time. > If you log in with public key authentication, does it even show > anything? I bet it doesn't. It does, actually, right next to the time of last login. - Josh Triplett -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150126003543.GA12801@thin
