consent to monitoring banner for ssh

Wed Dec 5 19:58:47 UTC 2007

On Wed, 5 Dec 2007, Bill Tangren wrote:

>
>> Well, you *could* do the "acceptance by logging in" thing... or you can
>> force them to type [yes|no].  Here's how I accomplish that.
>
> Firstly, thanks for the help.
>
> I've done this on a test platform, and I end up with a dialog box when I
> log into the GUI, but hitting the cancel button still lets me in.
>
> I DO NOT get a prompt when I ssh, nor do I get one from the text console
> or tty consoles (ctl+F1 through ctl+F6).
>
> Any ideas on implement this in those circumstances?
>

Have you tried implementing this by replacing the user's shell (in 
/etc/passwd or equivalent) with your own wrapper script?

Carl
-- 
Carl G. Riches
Software Engineer
Department of Biostatistics
Box 357232                      voice:     206-616-2725
University of Washington        fax:       206-543-3286
Seattle, WA  98195-7232         internet:  cgr at u.washington.edu

>>
>>
>> #Set the /etc/issue file to the login banner.  This one has no linefeeds,
>> #so it will wrap accordingly.
>> cat <<EOF >/etc/issue
>> YOUR WELCOME BANNER.
>> EOF
>>
>> #This part creates the same login banner once your username and password
>> has
>> #been entered.  This has linefeeds in it.
>> cat <<EOF >/etc/X11/gdm/PreSession/Default
>> #!/bin/sh
>> #
>> # Note that any setup should come before the sessreg command as
>> # that must be 'exec'ed for the pid to be correct (sessreg uses the parent
>> # pid)
>> #
>> # Note that output goes into the .xsession-errors file for easy debugging
>> #
>> PATH="/usr/bin/X11:/usr/X11R6/bin:/opt/X11R6/bin:$PATH:/bin:/usr/bin"
>>
>> /usr/bin/gdialog --yesno "YOUR WELCOME BANNER"
>> if ( test 1 -eq \$? ); then
>>     gdialog --infobox "Logging out in 10 Seconds" 1 20 &
>>     sleep 10
>>     exit 1
>> fi
>>
>> gdmwhich () {
>>     COMMAND="$1"
>>     OUTPUT=
>>     IFS=:
>>     for dir in $PATH
>>     do
>>         if test -x "$dir/$COMMAND" ; then
>>             if test "x$OUTPUT" = "x" ; then
>>                 OUTPUT="$dir/$COMMAND"
>>             fi
>>         fi
>>     done
>>     unset IFS
>>     echo "$OUTPUT"
>> }
>>
>> XSETROOT=\`gdmwhich xsetroot\`
>> if [ "x$XSETROOT" != "x" ] ; then
>>     # Try to snarf the BackgroundColor from the config file
>>     BACKCOLOR=`grep '^BackgroundColor' /etc/X11/gdm/gdm.conf | sed
>> 's/^.*=\(.*\)$/\1/'`
>>     if [ "x$BACKCOLOR" = "x" ]; then
>>         BACKCOLOR="#76848F"
>>     fi
>>     "$XSETROOT" -cursor_name left_ptr -solid "$BACKCOLOR"
>> fi
>>
>> SESSREG=\`gdmwhich sessreg\`
>> if [ "x$SESSREG" != "x" ] ; then
>>     # some output for easy debugging
>>     echo "$0: Registering your session with wtmp and utmp"
>>     echo "$0: running: $SESSREG -a -w /var/log/wtmp -u /var/run/utmp -x
>> \"$X_SERVERS\" -h \"$REMOTE_HOST\" -l \"$DISPLAY\" \"$USER\""
>>
>>     exec "$SESSREG" -a -w /var/log/wtmp -u /var/run/utmp -x "$X_SERVERS"
>> -h "$REMOTE_HOST" -l "$DISPLAY" "$USER"
>>     # this is not reached
>> fi
>> #Some output for easy debugging.
>> echo "$0: could not find the sessreg utility, cannot update wtmp and utmp"
>> exit 0
>> EOF
>>
>> #/etc/ssh/sshd_config banner settings.
>> perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i
>> /etc/ssh/sshd_config
>>
>>
>> --
>> Shawn D. Wells
>> Solutions Architect, Federal Team
>> swells at redhat.com
>> C: 443-534-0130
>
>
>