© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
I must re-state that agree one might expect (I did) that on non-interactive shells these motd content would not execute at all.
... but it does ... why?
Nowadays this is all from libpam which has pam_mount (man page) and is enabled by default here:
root@j:~# grep -Hrn motd /etc/pam*
/etc/pam.
/etc/pam.
/etc/pam.
/etc/pam.
/etc/pam.
/etc/pam.
/etc/pam.
/etc/pam.
Ok on a login shell (/etc/pam.d/login) it makes sense, but on ssh I'd expect (just like the reporter) to be only shown if interactive.
At least that is a great place to disable this manually if needed,
but sadly disabling this in only /etc/pam.d/sshd also removes it for an ssh-based login shells.
So an ssh based login shell will not be configured by /etc/pam.d/login :-/
Pam is trying to outsmart us ... :-/
After all [1] says "... which is displayed by the pam_motd(8) module on interactive shell logins." which should, but isn't true.
One can debate if it is good or not in the first place to log in for every command as there will be a lot more every time (e.g. audit entries, syslog entries, the env being spawned, ...), overall this is only one of the things that makes this conceptually wrong.
But still I find it embarrassing to see this trivial test to be so bad:
$ time for i in $(seq 1 100); do ssh -i /tmp/id-rsa-test testuser1@
- With pam_motd.so enabled in /etc/pam.d/sshd => 0m59,709s
- With pam_motd.so disabled in /etc/pam.d/sshd => 16,159s
On any cloud or hipervisor that scales a lot not only the expired time but also the cycles will add up to quite a lot. So either way it comes to slowdown as well as unnecessary price or power consumption
I'm tempted to suggest a discussion to disable it in /etc/pam.d/sshd unless we find a way to make it only happen on interactive logins.
P.S. I have the feeling we had this discussion, maybe others will remember better - I need to talk to a few people ...
[1]: http://