Amazon-ssm-agent: Display motd on session start

Created on 3 Apr 2019  路  13Comments  路  Source: aws/amazon-ssm-agent

This might be loosely related to #131, at least in my mind, but it'd be nice when starting a new session the systems motd gets displayed. This is usually handled by pam, at least that is the case on my Ubuntu system.

Also, something similar to SSH's Banner may be nice as well.

Most helpful comment

@shannonrdunn Unfortunately key management is still required. The agency I work with implemented ssh over ssm and closed port 22 and used a script similar to https://www.keepsecure.ca/blog/automating-access-through-a-jump-host-aws/ to automatically add the keys to the instance and expire them shortly to help fight the issue you are having.

All 13 comments

+1

Thank you for the feedback, we'll investigate this.

+1

+1

@YujiaozhAws do you have this on the roadmap possibly? It is hard to achieve some NIST control requirements without the ability to display a message to users on login.

@shannonrdunn if you do ssh over ssm the banner is displayed if that helps

@jimilinuxguy thanks! but we are trying not to allow ssh at all, and force ssm use. ssh over ssm you still have to use/manage the key pair right, and have port 22 exposed to the user?

This might help some of you:
https://github.com/elpy1/ssh-over-ssm

I can't vouch for that project, though it uses standard SSH, but does it OVER SSM, so far as I can tell does not require port 22 exposed, and it manages dynamic keypairs for short term use that the user themselves doesn't have to have, create, or even see.

Note I still thumb'd up the overall topic here which is getting a banner/MOTD through standard SSM Connect as ideal for my use cases, though was looking into other options.

@shannonrdunn Unfortunately key management is still required. The agency I work with implemented ssh over ssm and closed port 22 and used a script similar to https://www.keepsecure.ca/blog/automating-access-through-a-jump-host-aws/ to automatically add the keys to the instance and expire them shortly to help fight the issue you are having.

@adamdmharvey @jimilinuxguy wow these are great, and work great. thanks so much.

This would be fantastic to have especially for highly regulated industries.

I forgot about this a bit. You can sort of achieve this now with the introduction of shell profiles.

https://aws.amazon.com/about-aws/whats-new/2020/10/now-customize-your-session-manager-shell-environment-with-configurable-shell-profiles/

This can be accomplished by using shell profiles.
Closing.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

guizmaii picture guizmaii  路  3Comments

thedevopsmachine picture thedevopsmachine  路  4Comments

mvgfr picture mvgfr  路  4Comments

pbobov picture pbobov  路  5Comments

PaulAtkins picture PaulAtkins  路  3Comments