Categories
SysOps

How to suppress the message of the day

Suppress message of the day for specific or multiple users.

The default message of the day looks like this.

$ ssh debian.example.org -l milosz -i ~/.ssh/ext_milosz
Linux buster 4.19.0-4-amd64 #1 SMP Debian 4.19.28-2 (2019-03-15) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 26 22:21:30 2019 from 10.0.2.2
milosz@buster:~$

Remote OpenSSH session

Per-user option

To suppress the message of the day for a specific user, create ~/.hushlogin file on a remote server.

$ touch ~/.hushlogin

Global option for every user

To suppress the message of the day for every user on a remote server, perform three simple steps.

Ensure that PrintLastLog option and PrintMotd respectively are disabled in OpenSSH server configuration /etc/ssh/sshd_config.

PrintMotd no
PrintLastLog no

Reload service after configuration update.

$ sudo systemctl update sshd

Ensure that PAM configuration /etc/pam.d/sshd for OpenSSH server does not use pam_motd module.

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
# session    optional     pam_motd.so motd=/run/motd.dynamic
# session    optional     pam_motd.so noupdate

Done.

$ ssh debian.example.org -l milosz -i ~/.ssh/ext_milosz
milosz@buster:~$

This behavior is defined in the OpenSSH session.c file.

/*
 * Check for quiet login, either .hushlogin or command given.
 */
int
check_quietlogin(Session *s, const char *command)
{
        char buf[256];
        struct passwd *pw = s->pw;
        struct stat st;
        /* Return 1 if .hushlogin exists or a command given. */
        if (command != NULL)
                return 1;
        snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
        if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
                return 1;
        return 0;
}

Local session

Per-user option

Inspect default /etc/login.defs configuration to check HUSHLOGIN_FILE option.

$ cat /etc/login.defs
[...]
#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE  .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
[...]

Create ~/.hushlogin file to suppress the message of the day for a particular user.

$ touch ~/.hushlogin

This behavior is defined in Shadow shadow/libmisc/hushed.c file.

/*
 * If this is not a fully rooted path then see if the
 * file exists in the user's home directory.
 */
if (hushfile[0] != '/') {
	(void) snprintf (buf, sizeof (buf), "%s/%s", pw->pw_dir, hushfile);
	return (access (buf, F_OK) == 0);
}

Global option for multiple users

Alter /etc/login.defs configuration to define system-wide /etc/hushlogins file as HUSHLOGIN_FILE.

$ cat /etc/login.defs
[...]
#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
# HUSHLOGIN_FILE  .hushlogin
HUSHLOGIN_FILE /etc/hushlogins
[...]

Add user login to /etc/hushlogins to suppress the message of the day for the specific user.

$ echo milosz | sudo tee -a /etc/hushlogins

Add login shell to /etc/hushlogins to suppress the message of the day for every user using a particular shell.

$ echo /bin/bash | sudo tee -a /etc/hushlogins

This behavior is defined in Shadow shadow/libmisc/hushed.c file.

/*
 * If this is a fully rooted path then go through the file
 * and see if this user, or its shell is in there.
 */

fp = fopen (hushfile, "r");
if (NULL == fp) {
	return false;
}
for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) {
	buf[strlen (buf) - 1] = '\0';
	found = (strcmp (buf, pw->pw_shell) == 0) ||
	        (strcmp (buf, pw->pw_name) == 0);
}

Global option for every user

Ensure that the PAM configuration /etc/pam.d/login for the Shadow login service does not use pam_motd module.

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
# session    optional     pam_motd.so motd=/run/motd.dynamic
# session    optional     pam_motd.so noupdate

Done.