Closed konklone closed 6 years ago
erik-burgess
commented
6 years ago It would be preferable to see these banners at console login and in the sshd_config in the event that someone was ssh'ing into the system. Displaying them when terminal is opened is redundant, as access to the system has already been gained.
ifbell
commented
6 years ago It is not currently possible to do this as the SSH warning is part of the motd which comes up with every new instance of the terminal.
konklone
commented
6 years ago @erik-burgess @ifbell Is sshd even enabled in our baseline? That seems like an undesired use case.
It is not currently possible to do this as the SSH warning is part of the motd which comes up with every new instance of the terminal.
I think that's fine -- so, my request is to remove this warning from the MOTD entirely.
konklone
commented
6 years ago Okay, well having sshd enabled and open to being logged into for privileged account access seems like it offers its own security risks.
But the process isn't a human and doesn't need to be given a warning message anyway, and so just to make my sure my original request doesn't get lost:
Could we cut these messages from the bash welcome message, and leave them on the boot/login process?
ifbell
commented
6 years ago If you wish to float this idea past GSA security and they approve removing the MOTD then we will comply with that choice. Just a piece of information I do not know of a government entity that does not have the MOTD or similar warning in place. The idea being if you come into a machine from the command line that you have the same or similar warning as coming in through the GUI. Again if GSA security approves this we will comply.
On Tue, Sep 5, 2017 at 10:57 PM, Eric Mill notifications@github.com wrote:
Okay, well having sshd enabled and open to being logged into for privileged account access seems like it offers its own security risks.
But the Nessus scanner isn't a human and doesn't need to be given a warning message anyway, and so just to make my sure my original request doesn't get lost:
Could we cut these messages from the bash welcome message, and leave them on the boot/login process?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GSA/laptop-management/issues/33#issuecomment-327360404, or mute the thread https://github.com/notifications/unsubscribe-auth/AeMIkqRYZn1GqgUOcbnOy-KRMiXiVKpOks5sfgomgaJpZM4PKfxD .
erik-burgess
commented
6 years ago It is not currently possible to do this as the SSH warning is part of the motd which comes up with every new instance of the terminal.
Well, it is possible, if you use the Banner parameter in the sshd_config file and specify a text file with the banner text.
konklone
commented
6 years ago This is resolved, and the warning removed. Thanks, all!
Post-Jamf, our Macs now have a prominent warning about authorized use:
I understand that they're both necessary from a compliance standpoint and, I think, actually a bit useful in readjusting staff expectations in a managed environment, at least in the near term.
But they're present both during boot/login and on every terminal open, which seems excessive and UX-obnoxious for folks who open up dozens of terminals throughout the day:
Could we cut these messages from the bash welcome message, and leave them on the boot/login process?