SSH MOTD - undesired information

SUSE Linux Enterprise Server SLES Configure-Administer
1

I’ve been installing and configuring SLES 12 SP3 machines. Our configuration requirements state that we must use a DoD banner for SSH connections.

I’ve modified our /etc/motd and /etc/issue files to reflect the banners and changed the /etc/ssh/sshd_config to use Banner /etc/issue. Now the banner appears when connecting and after authentication.

However, some machines now have system information being printed out. This is not a desired effect and I have been ordered to remove it. The problem is that I cannot figure out where it is set to print this information.

------------------------------------------- Hostname: linux Current As Of: Thu May 24 09:30:02 2018 Distribution: SUSE Linux Enterprise Server 12 -Service Pack: 3 Architecture: x86_64 Kernel Version: 4.4.73-5-default -Installed: Thu May 3 14:42:04 2018 -Status: Tainted: P X Last Updated Package: Tue May 22 05:11:54 2018 -Patches Needed: 0 -Security: 0 -3rd Party Packages: 11 IPv4 Address: eth0 <IP> Total/Free/+Cache Memory: 5962/4675/5411 MB (90% Free) Hard Disk: /dev/sda 500 GB -----------------------------------------------------------

How do I get rid of this?

2

The fastest way to fix this is probably to find whoever built the box, or
this user as whom you are authenticating, and ask them to tell you what
they did, and then undo it. Which target user are you using for
authentication and does it matter if you change to some other user?

Anything that prints to the screen could potentially cause that to
display. That could be something system-specific or user-specific.
Create a new user on the target system and test with it; if the text still
shows up, it is something system-specific, and if not maybe something in
the user’s own login scripts.

It may be interesting to know if that shows up when you use SSH to call
something explicitly:

ssh user@remote.box.goes.here 'ps';

Another option you may have, since nobody may be inclined to fess up, is
to look for some of those strings in places like /etc:

grep -Rl -e 'Hard Disk:' -e 'Last Updated Package:' /etc/*

Any files that come back, particularly those named something like ‘bashrc’
or ‘profile’, are places to start.

At the end of the day, I’ve never seen this output, so I’m 99% sure it is
custom, so if nothing else build a new clean box, prove it is not there,
and then ask them to remove the stuff they do not want. If they really do
not know its origin, it has no business being on a supposedly-secure system.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

3

kentcoble Wrote in message:
[color=blue]

I’ve been installing and configuring SLES 12 SP3 machines. Our
configuration requirements state that we must use a DoD banner for SSH
connections.

I’ve modified our /etc/motd and /etc/issue files to reflect the banners
and changed the /etc/ssh/sshd_config to use Banner /etc/issue. Now the
banner appears when connecting and after authentication.[/color]

Presumably you have different content in /etc/motd and /etc/issue
so you know the content of /etc/issue is being displayed as the
banner?
[color=blue]

However, some machines now have system information being printed out.
This is not a desired effect and I have been ordered to remove it. The
problem is that I cannot figure out where it is set to print this
information.

Code:

-------------------------------------------

Hostname: linux
Current As Of: Thu May 24 09:30:02 2018
Distribution: SUSE Linux Enterprise Server 12
-Service Pack: 3
Architecture: x86_64
Kernel Version: 4.4.73-5-default
-Installed: Thu May 3 14:42:04 2018
-Status: Tainted: P X
Last Updated Package: Tue May 22 05:11:54 2018
-Patches Needed: 0
-Security: 0
-3rd Party Packages: 11
IPv4 Address: eth0
Total/Free/+Cache Memory: 5962/4675/5411 MB (90% Free)
Hard Disk: /dev/sda 500 GB

How do I get rid of this?[/color]

So this only happens on some (not all) of your machines? Like ab I
think this is something custom. On these machines is your
/etc/motd (or /etc/issue or /etc/issue.net) file being
overwritten with the above text?

HTH.

Simon Flood
SUSE Knowledge Partner

----Android NewsGroup Reader----
http://usenet.sinaapp.com/

4

I built it, logging in as any user. It was created using Kiwi with a list of packages that are pre-installed.

[QUOTE]Another option you may have, since nobody may be inclined to fess up, is
to look for some of those strings in places like /etc [/QUOTE]

I’ll give that a shot

They both contain the same content, a DoD banner.

It seems to only happen with a Kiwi image that has over 3,000 packages included with it. I have two different ISOs – one containing developer libraries, database products, and additional networking services – and only the one containing developer libraries displays this issue.

I’ve verified that /etc/issue and /etc/motd contain only the banner.

5

We may have found the culprit. One of our admins found the matching text under /var/spool/hostinfo/root-motd. Searching rpm leads to hostinfo-1.0-17.12.noarch, which is a package requested by the developers for some reason. Uninstalling it resolves the issue.

6

On 05/24/2018 04:44 PM, kentcoble wrote:[color=blue]

We may have found the culprit. One of our admins found the matching text
under /var/spool/hostinfo/root-motd. Searching rpm leads to
hostinfo-1.0-17.12.noarch, which is a package requested by the
developers for some reason. Uninstalling it resolves the issue.[/color]

Thanks for posting back; it is interesting to hear about that package, as
it is not one that rings any bells. Time to go see if I can duplicate it
and figure out how that works.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.