Login banners are a critical security control that display legal warnings before and after users authenticate to a system. On RHEL 8, three separate mechanisms control banner messages: /etc/issue for local console pre-login text, /etc/issue.net for SSH pre-login banners, and /etc/motd for the message of the day shown after login. Properly configured banners inform authorized users of acceptable use policies and put unauthorized users on notice that access is monitored. This tutorial covers all three mechanisms plus dynamic MOTD scripts.
Prerequisites
- RHEL 8 server with sudo or root access
- OpenSSH server installed and running (
dnf install -y openssh-server) - A text editor such as
viornano - Legal review of banner text recommended for production environments
Step 1 — Configure the Pre-Login Console Banner (/etc/issue)
The /etc/issue file is displayed by the getty process on virtual consoles before the login prompt appears. It supports escape codes that insert dynamic system information such as the hostname and kernel version.
# Backup the existing file first
sudo cp /etc/issue /etc/issue.bak
# Write a legal warning banner to /etc/issue
sudo tee /etc/issue > /dev/null <<'EOF'
*******************************************************************************
* AUTHORIZED ACCESS ONLY *
* *
* This system is the property of [Organization Name]. Unauthorized access *
* or use is strictly prohibited and may be subject to criminal prosecution *
* under applicable law. All activity on this system is monitored and *
* recorded. By proceeding, you consent to this monitoring. *
* *
* Hostname: n | OS: s r | Date: d t *
*******************************************************************************
EOF
# Verify the file
cat /etc/issueStep 2 — Configure the SSH Pre-Login Banner (/etc/issue.net)
/etc/issue.net serves a similar purpose to /etc/issue but for SSH connections. Unlike /etc/issue, it does not expand escape codes, so use plain text only. The SSH daemon must be explicitly configured to display this file.
# Write the SSH pre-login banner
sudo tee /etc/issue.net > /dev/null <<'EOF'
*******************************************************************************
* AUTHORIZED ACCESS ONLY *
* *
* This computer system is for authorized use only. Unauthorized access is *
* prohibited. All connections are monitored and logged. Disconnect now if *
* you are not an authorized user. Violators may be subject to civil and *
* criminal penalties under applicable law. *
*******************************************************************************
EOF
# Enable the banner in sshd_config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Set the Banner directive (uncomment if present, or add it)
sudo sed -i 's|^#?Banner.*|Banner /etc/issue.net|' /etc/ssh/sshd_config
# Verify the setting was applied
grep "^Banner" /etc/ssh/sshd_config
# Reload sshd to apply changes
sudo systemctl reload sshd
sudo systemctl is-active sshdStep 3 — Configure the Post-Login Message of the Day (/etc/motd)
The /etc/motd (Message of the Day) file is shown after a successful login. It is managed by PAM via the pam_motd.so module and is the appropriate place for operational notices, policy reminders, and system status.
# Write an MOTD with a post-login legal notice and system info
sudo tee /etc/motd > /dev/null <> /etc/pam.d/sshd
# Test by viewing the file
cat /etc/motdStep 4 — Disable PrintLastLog and Other Information Leakage
By default, SSH prints the last login time and source IP. While useful for users, this information can assist attackers in profiling the system. Review related sshd_config directives alongside the banner configuration.
# Review current sshd_config settings related to banners and information disclosure
grep -E "^(Banner|PrintMotd|PrintLastLog|PermitUserEnvironment)" /etc/ssh/sshd_config
# Recommended hardening settings alongside the banner
sudo tee -a /etc/ssh/sshd_config > /dev/null <<'EOF'
# Security hardening additions
PrintLastLog yes
PrintMotd no
PermitUserEnvironment no
EOF
# Validate sshd config syntax before reloading
sudo sshd -t && echo "Configuration is valid"
# Reload sshd
sudo systemctl reload sshdStep 5 — Create Dynamic MOTD Scripts
RHEL 8 supports dynamic MOTD by running scripts in /etc/update-motd.d/. Scripts are executed in lexical order and their output is concatenated. This allows you to display live system status on every login.
# Create the update-motd.d directory if it does not exist
sudo mkdir -p /etc/update-motd.d/
# Script 00: Legal header (runs first)
sudo tee /etc/update-motd.d/00-legal > /dev/null < /dev/null <<'EOF'
#!/bin/bash
echo " Hostname : $(hostname -f)"
echo " OS : $(cat /etc/redhat-release)"
echo " Kernel : $(uname -r)"
echo " Uptime : $(uptime -p)"
echo " CPU Load : $(cut -d' ' -f1-3 /proc/loadavg)"
echo " Memory : $(free -h | awk '/^Mem:/ {print $3 " used of " $2}')"
echo " Disk / : $(df -h / | awk 'NR==2 {print $3 " used of " $2 " (" $5 " full)"}')"
echo ""
EOF
# Make scripts executable
sudo chmod +x /etc/update-motd.d/00-legal /etc/update-motd.d/10-sysinfo
# Configure PAM to run update-motd.d scripts
# Edit /etc/pam.d/sshd and ensure this line is present in the session section:
# session optional pam_motd.so motd=/run/motd.dynamic
grep pam_motd /etc/pam.d/sshd
# Generate and preview dynamic motd manually
sudo run-parts /etc/update-motd.d/Step 6 — Verify the Full Banner Configuration
Test the entire banner chain by checking file contents, validating SSH config, and performing a test SSH connection to confirm banners display correctly.
# Summarize all banner-related files
echo "=== /etc/issue ===" && cat /etc/issue
echo "=== /etc/issue.net ===" && cat /etc/issue.net
echo "=== /etc/motd ===" && cat /etc/motd
# Confirm sshd banner directive
grep -n "Banner" /etc/ssh/sshd_config
# Check SELinux context on banner files (should be etc_t or similar)
ls -lZ /etc/issue /etc/issue.net /etc/motd
# Confirm sshd is running with the new configuration
sudo systemctl status sshd --no-pager
# Test SSH connection (you should see the /etc/issue.net banner before password prompt)
# ssh -v localhost 2>&1 | grep -A3 "Remote protocol"
echo "SSH banner test: connect with 'ssh localhost' to verify the pre-login banner"Conclusion
You have configured a complete login banner system on RHEL 8 covering all three display points: the pre-login console banner in /etc/issue, the SSH pre-login banner via /etc/issue.net and sshd_config, and the post-login MOTD through /etc/motd and dynamic scripts in /etc/update-motd.d/. A well-crafted legal warning banner establishes notice of monitoring, which is a prerequisite for many compliance frameworks including PCI-DSS and HIPAA. Keep banner text reviewed by legal counsel and updated to reflect current organizational policy.
Next steps: Configuring SSH key-based authentication and disabling password login on RHEL 8, Centralizing authentication with SSSD and Active Directory on RHEL 8, and Auditing SSH access with auditd on RHEL 8.
