kjpopov
commented
5 years ago +1
Closed awiddersheim closed 3 years ago
kjpopov
commented
5 years ago +1
YujiaozhAws
commented
5 years ago Thank you for the feedback, we'll investigate this.
kchaitu4
commented
4 years ago +1
jusrob
commented
4 years ago +1
shannonrdunn
commented
4 years ago @YujiaozhAws do you have this on the roadmap possibly? It is hard to achieve some NIST control requirements without the ability to display a message to users on login.
jimilinuxguy
commented
4 years ago @shannonrdunn if you do ssh over ssm the banner is displayed if that helps
shannonrdunn
commented
4 years ago @jimilinuxguy thanks! but we are trying not to allow ssh at all, and force ssm use. ssh over ssm you still have to use/manage the key pair right, and have port 22 exposed to the user?
adamdmharvey
commented
4 years ago This might help some of you: https://github.com/elpy1/ssh-over-ssm
I can't vouch for that project, though it uses standard SSH, but does it OVER SSM, so far as I can tell does not require port 22 exposed, and it manages dynamic keypairs for short term use that the user themselves doesn't have to have, create, or even see.
Note I still thumb'd up the overall topic here which is getting a banner/MOTD through standard SSM Connect as ideal for my use cases, though was looking into other options.
jimilinuxguy
commented
4 years ago @shannonrdunn Unfortunately key management is still required. The agency I work with implemented ssh over ssm and closed port 22 and used a script similar to https://www.keepsecure.ca/blog/automating-access-through-a-jump-host-aws/ to automatically add the keys to the instance and expire them shortly to help fight the issue you are having.
shannonrdunn
commented
4 years ago @adamdmharvey @jimilinuxguy wow these are great, and work great. thanks so much.
j-rat
commented
4 years ago This would be fantastic to have especially for highly regulated industries.
awiddersheim
commented
4 years ago I forgot about this a bit. You can sort of achieve this now with the introduction of shell profiles.
ferkhat-aws
commented
3 years ago This can be accomplished by using shell profiles. Closing.
nitrocode
commented
8 months ago Could someone provide an example of how we can use shell profiles to display the existing motd?
A workaround is to use shell profiles to echo the motd. It's a bit of a hack and ends up printing the command and then the output when a user ssms into an instance resulting in seeing the motd twice.
j-rat
commented
6 months ago This can be accomplished by using shell profiles. Closing.
I agree, however, the really annoying part is that with shell profiles, the output is duplicated. Would be really great to not have this duplicated and omit the commands that were run.
What's the best way, if any to prevent the command from being displayed?
echo -e "===\n===\n=== This is my warning banner. There are many like it, but this one is mine.\n=== My warning banner is my best friend. It is my life. I must master it as I must master my life.\n=== My warning banner, without me, is useless. Without my warning banner, I am useless.\n===\n===\n"
t me, is useless. Without my warning banner, I am useless.\n===\n===\n"r, withou
===
===
=== This is my warning banner. There are many like it, but this one is mine.
=== My warning banner is my best friend. It is my life. I must master it as I must master my life.
=== My warning banner, without me, is useless. Without my warning banner, I am useless.
===
===
sh-4.2$
This might be loosely related to #131, at least in my mind, but it'd be nice when starting a new session the systems
motdgets displayed. This is usually handled bypam, at least that is the case on my Ubuntu system.Also, something similar to SSH's
Bannermay be nice as well.