Hack 28 Remove the Terminal Login Banner

Give users the information you want them to receive when they log in.

The default login process on a FreeBSD system produces a fair bit of information. The terminal message before the login prompt clearly indicates that the machine is a FreeBSD system. After logging in, a user will receive a copyright message and a Message of the Day (or motd), both of which contain many references to FreeBSD.

This may or may not be a good thing, depending upon the security requirements of your network. Your organization may also require you to provide legal information regarding network access or perhaps a banner touting the benefits of your corporation. Fortunately, a few simple hacks are all that stand between the defaults and your network's particular requirements.

3.6.1 Changing the Copyright Display

Let's start with the copyright information. That's this part of the default login process:

Copyright (c) 1992-2003 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved.

To prevent users from seeing this information, simply:

# touch /etc/COPYRIGHT

3.6.2 Changing the Message of the Day

Technically, you could add your own information to /etc/COPYRIGHT instead of leaving it as an empty file. However, it is common practice to put your information in /etc/motd instead. The default /etc/motd contains very useful information to the new user, but it does get rather old after a few hundred logins.

You can edit /etc/motd to say whatever suits your purposes anything from your favorite sci-fi excerpt to all the nasty things that will happen to someone if they continue to try to log into your system. Here's a very simple example:

# more /etc/motd ********************************************************* *****            Authorized users only!!            ***** *********************************************************

You'll note that after you customize your motd, users will still see this text prepended to it:

FreeBSD 5.1-RELEASE (GENERIC) #0: Thu Jun 5 02:55:42 GMT 2003

If you don't want to advertise your operating system version and kernel information, you'll need one more hack. Add this line to /etc/rc.conf:

update_motd="NO"

If you're using FreeBSD 5.x, you no longer have to reboot or go into single-user mode to initialize a change to /etc/rc.conf. Instead, you can use one of the many scripts available in /etc/rc.d. Let's see if there's a script that deals with motd:

# ls -F /etc/rc.d | grep motd motd*

Excellent. Let's see what syntax that command expects:

# /etc/rc.d/motd Usage: /etc/rc.d/motd [fast|force](start|stop|restart|rcvar)

Parameters in square brackets are optional, whereas parameters in parentheses are mandatory. Notice each option is separated by the or symbol (|), meaning you just pick one out of the list. In our case, we want to use the rcvar parameter. This will tell the motd script to reread its setting in /etc/rc.conf:

# /etc/rc.d/motd rcvar # motd $update_motd=NO

OpenBSD users, read man motd and /etc/rc (search for motd) to understand how the system constructs the banner. Otherwise, it'll update when you least expect it!

3.6.3 Changing the Login Prompt

Finally, let's change the text that first appears at the login prompt. This requires an edit to /etc/gettytab. This is a fairly important file as it controls access to your terminals, which is how users access the system. Before editing this file, always make a backup copy first:

# cp /etc/gettytab /etc/gettytab.orig

Next, open up /etc/gettytab in your favorite text editor and look for this line:

default:\ :cb:ce:ck:lc:fd#1000:im=\r\n %s/%m (%h) (%t) \r\n\r\n:sp#1200:\

See the part in bold? That's the part you can replace with what you'd like the world to see when they receive their login prompt. Right now, they see this:

FreeBSD/i386 (host.domain.com) (ttyv1)

That's because that default string contains the variables in Table 3-1.

You can very carefully change those characters to something else. For example, mine looks like this:

:cb:ce:ck:lc:fd#1000:im=\r\n I'm a node in Cyberspace. Who are you? \ \r\n\r\n:sp#1200:\

Again, I've put my changes in bold for emphasis. Carefully double-check that you didn't lose any carriage return (\r) or newline (\n) characters along the way, then save your change.

3.6.4 Testing Your Changes

It's important to test your change immediately at a different terminal to ensure you can still log into your system. This way, if you did make a typo that prevents logins, you can return to your previous terminal and fix it.

I'll press Alt-F4 to go to a terminal with a login prompt. I'll probably still see the old terminal message, so I'll log in, log out, then log in again:

login: Password: % exit logout I'm a node in cyberspace. Who are you? login:

3.6.5 See Also

• man motd

• man gettytab

• The /etc/rc.d section of the FreeBSD Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-rcng.html)