Unify print_motd?

[rndmh3ro]

Is your feature request related to a problem? Please describe.

Currently we have two variables that control the motd:

ssh_print_motd

    Default: false
    Description: false to disable printing of the MOTD

ssh_print_pam_motd

    Default: false
    Description: false to disable printing of the MOTD via pam (Debian and Ubuntu)

We should investigate if we can unify these two. See: https://github.com/dev-sec/ansible-collection-hardening/pull/357

[schurzi]

this was willfully introduced: https://github.com/dev-sec/ansible-ssh-hardening/pull/320 however I am not able to find Issue 319 in the ansible-ssh-hardening repo.

[rndmh3ro]

https://web.archive.org/web/20201226072034/https://github.com/dev-sec/ansible-ssh-hardening/issues/319

[schurzi]

Ah, thanks for the link.

What I recollect from there is, that we introduced the two options precisely because there are two locations to manage MOTD. One additional problem with the implementation is also, that we can easily disable and re-enable the MOTD in sshd_config, but once the pam MOTD has been disabled, we do not privde a way to re-enable it (other than copying back the backup file).

I see some possible solutions to that:

1. we disable pam MOTD by default and anytime, the only control left would be in sshd_config
2. we do a check for os_family and modify the according position (and create a way to re-enable pam MOTD)
3. leave things as they are and update documentation to make this more clear to the user

what do you think?

[Sebster7]

FWIW, I don't think we should always disable pam MOTD: I think it's useful information that helps to harden the system on Ubuntu for example, by telling you how many security updates need applying, or that a reboot is needed, etc.

[rndmh3ro]

Telling me how many updates are pending or that a reboot is not required does not really improve security. I agree that it can be useful, that's why it is possible to activate the MOTD.