truenas
NAS-127183 / 24.10 / Customer designated login banner
Government systems require a login banner prior to being allowed to log in. In the ticket it was determined to reuse the motd as our banner. This PR has the middleware portion of this ticket. On top of giving a public endpoint for motd, we also have our motd_before_login option, which updates our sshd configuration to show our MOTD prior to login. Our database string length has also been upped from 1024 to 4096 (DoD requires 1300 minimum to fit the bare minimum message).
Is there any reason to not just always display motd before login?
On the WebUI it could get annoying to have a popup modal every single time you log in with the motd. For the SSH part, we could do that but might as well keep parity with the WebUI for that logic.
Instead of parsing the SSH session, would verifying that the SSHd config contains the banner line be sufficient? As well as looking to see that the contents of /etc/motd is also what we just set.
~~Still have to go through and redo the DB migration so its revision hashes are correct~~
Doesn't look like any alembic changes were made actually, I was under the impression that this PR had DB changes.
Should be clear to just merge as is.
I added the checkbox as it was suggested in the ticket! The reasoning (from what I assume) is to prevent having a popup every single time you log in (although we could just have it show up on the login page in general, not as a modal, but then there's UI flow issues with large banners). This is also to not suddenly start showing the MOTD for every user with it set (which would be just about everyone since we have a default "Welcome to TrueNAS").
I also updated my migration references to point to our most recent migration from the last 24 hrs
@anodos325 how would we go about deleting the old /etc/login_banner if it's in its own mako? If exiting early stops the file from being written, then I could probably do a delete then exit early.
@anodos325 how would we go about deleting the old /etc/login_banner if it's in its own mako? If exiting early stops the file from being written, then I could probably do a delete then exit early.
raise FileShouldNotExist within mako file (you will need to import from etc plugin)
@anodos325 I've implemented those changes! Is there any way to specify that when we're reloading the ssh service that we should etc generate our login_banner as well? Would save us a line in the config.py
Login banner needs to be a separate etc file with entry in etc plugin defining permissions required. no_auth_required + roles still needs to be resolved.
I'm looking into this right now
@anodos325 I've implemented those changes! Is there any way to specify that when we're reloading the ssh service that we should etc generate our login_banner as well? Would save us a line in the
config.py
If you put the login banner in the etc group for ssh then it will be generated every time etc.generate ssh is called.
The no_authz_required issue was me putting the accepts decorator above the no_authz_required, moving it below fixes it.
Should be good for final review now!
This PR has been merged and conversations have been locked. If you would like to discuss more about this issue please use our forums or raise a Jira ticket.