PDA

View Full Version : SLES 12 SP3 SSH MOTD - undesired information



kentcoble
24-May-2018, 17:04
I've been installing and configuring SLES 12 SP3 machines. Our configuration requirements state that we must use a DoD banner for SSH connections.

I've modified our /etc/motd and /etc/issue files to reflect the banners and changed the /etc/ssh/sshd_config to use `Banner /etc/issue`. Now the banner appears when connecting and after authentication.

However, some machines now have system information being printed out. This is not a desired effect and I have been ordered to remove it. The problem is that I cannot figure out where it is set to print this information.


-------------------------------------------
Hostname: linux
Current As Of: Thu May 24 09:30:02 2018
Distribution: SUSE Linux Enterprise Server 12
-Service Pack: 3
Architecture: x86_64
Kernel Version: 4.4.73-5-default
-Installed: Thu May 3 14:42:04 2018
-Status: Tainted: P X
Last Updated Package: Tue May 22 05:11:54 2018
-Patches Needed: 0
-Security: 0
-3rd Party Packages: 11
IPv4 Address: eth0 <IP>
Total/Free/+Cache Memory: 5962/4675/5411 MB (90% Free)
Hard Disk: /dev/sda 500 GB
-----------------------------------------------------------

How do I get rid of this?

ab
24-May-2018, 21:48
The fastest way to fix this is probably to find whoever built the box, or
this user as whom you are authenticating, and ask them to tell you what
they did, and then undo it. Which target user are you using for
authentication and does it matter if you change to some other user?

Anything that prints to the screen could potentially cause that to
display. That could be something system-specific or user-specific.
Create a new user on the target system and test with it; if the text still
shows up, it is something system-specific, and if not maybe something in
the user's own login scripts.

It may be interesting to know if that shows up when you use SSH to call
something explicitly:



ssh user@remote.box.goes.here 'ps';


Another option you may have, since nobody may be inclined to fess up, is
to look for some of those strings in places like /etc:



grep -Rl -e 'Hard Disk:' -e 'Last Updated Package:' /etc/*


Any files that come back, particularly those named something like 'bashrc'
or 'profile', are places to start.

At the end of the day, I've never seen this output, so I'm 99% sure it is
custom, so if nothing else build a new clean box, prove it is not there,
and then ask them to remove the stuff they do not want. If they really do
not know its origin, it has no business being on a supposedly-secure system.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

smflood
24-May-2018, 22:17
kentcoble Wrote in message:

> I've been installing and configuring SLES 12 SP3 machines. Our
> configuration requirements state that we must use a DoD banner for SSH
> connections.
>
> I've modified our /etc/motd and /etc/issue files to reflect the banners
> and changed the /etc/ssh/sshd_config to use `Banner /etc/issue`. Now the
> banner appears when connecting and after authentication.

Presumably you have different content in /etc/motd and /etc/issue
so you know the content of /etc/issue is being displayed as the
banner?

> However, some machines now have system information being printed out.
> This is not a desired effect and I have been ordered to remove it. The
> problem is that I cannot figure out where it is set to print this
> information.
>
>
> Code:
> --------------------
> -------------------------------------------
> Hostname: linux
> Current As Of: Thu May 24 09:30:02 2018
> Distribution: SUSE Linux Enterprise Server 12
> -Service Pack: 3
> Architecture: x86_64
> Kernel Version: 4.4.73-5-default
> -Installed: Thu May 3 14:42:04 2018
> -Status: Tainted: P X
> Last Updated Package: Tue May 22 05:11:54 2018
> -Patches Needed: 0
> -Security: 0
> -3rd Party Packages: 11
> IPv4 Address: eth0 <IP>
> Total/Free/+Cache Memory: 5962/4675/5411 MB (90% Free)
> Hard Disk: /dev/sda 500 GB
> -----------------------------------------------------------
> --------------------
>
>
> How do I get rid of this?

So this only happens on some (not all) of your machines? Like ab I
think this is something custom. On these machines is your
/etc/motd (or /etc/issue or /etc/issue.net) file being
overwritten with the above text?

HTH.
--
Simon Flood
SUSE Knowledge Partner


----Android NewsGroup Reader----
http://usenet.sinaapp.com/

kentcoble
24-May-2018, 23:31
The fastest way to fix this is probably to find whoever built the box, or this user as whom you are authenticating, and ask them to tell you what they did, and then undo it.

I built it, logging in as any user. It was created using Kiwi with a list of packages that are pre-installed.


Another option you may have, since nobody may be inclined to fess up, is
to look for some of those strings in places like /etc

I'll give that a shot


Presumably you have different content in /etc/motd and /etc/issue so you know the content of /etc/issue is being displayed as the banner?

They both contain the same content, a DoD banner.


So this only happens on some (not all) of your machines? Like ab I think this is something custom. On these machines is your /etc/motd (or /etc/issue or /etc/issue.net) file being overwritten with the above text?

It seems to only happen with a Kiwi image that has over 3,000 packages included with it. I have two different ISOs -- one containing developer libraries, database products, and additional networking services -- and only the one containing developer libraries displays this issue.

I've verified that /etc/issue and /etc/motd contain only the banner.

kentcoble
24-May-2018, 23:42
We may have found the culprit. One of our admins found the matching text under /var/spool/hostinfo/root-motd. Searching rpm leads to hostinfo-1.0-17.12.noarch, which is a package requested by the developers for some reason. Uninstalling it resolves the issue.

ab
25-May-2018, 05:20
On 05/24/2018 04:44 PM, kentcoble wrote:
>
> We may have found the culprit. One of our admins found the matching text
> under /var/spool/hostinfo/root-motd. Searching rpm leads to
> hostinfo-1.0-17.12.noarch, which is a package requested by the
> developers for some reason. Uninstalling it resolves the issue.

Thanks for posting back; it is interesting to hear about that package, as
it is not one that rings any bells. Time to go see if I can duplicate it
and figure out how that works.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.