How to Set Up Automatic SSH Login Banners on RHEL 7

How to Set Up Automatic SSH Login Banners on RHEL 7

Displaying a clear, legally appropriate banner when users connect to a Linux server over SSH is both a security best practice and a compliance requirement in many regulated environments such as PCI-DSS, HIPAA, and government frameworks. On Red Hat Enterprise Linux 7, there are several mechanisms for presenting messages to users: pre-authentication banners shown before the SSH login prompt, post-authentication messages delivered after a successful login, and dynamic messages generated at login time from scripts. This tutorial explains each mechanism, how to configure them, how to craft appropriate legal warning text, and how to remove or suppress default MOTD components you do not want.

Prerequisites

• RHEL 7 system with root or sudo access.
• OpenSSH server installed and running (sudo yum install openssh-server if needed).
• Basic familiarity with editing files and restarting services.
• An SSH client to test the changes (can be on the same machine using ssh localhost).

Step 1: Understanding the Banner Mechanisms

RHEL 7 provides three distinct places where a message can be shown to SSH users, and it is important to understand the difference between them before making changes:

• /etc/issue.net — Displayed to the remote user before they authenticate. This is the pre-login banner controlled by the Banner directive in sshd_config. It is the correct place for legal warning text because an unauthenticated user sees it before entering credentials.
• /etc/motd — The classic Message of the Day. Displayed after a successful login. Controlled by PAM and SSH together.
• /etc/issue — Used by local (non-SSH) logins on virtual terminals (TTYs). Not shown over SSH by default.
• /etc/profile.d/ scripts — Shell scripts that run at login time and can generate dynamic content (uptime, last login, etc.) in the post-login session.

Step 2: Configure the Pre-Login Banner with /etc/issue.net

The pre-login banner is the most security-critical message because it establishes legal notice before any authentication takes place. Many legal teams require that this banner state the system is for authorised users only and that use may be monitored.

First, edit /etc/issue.net:

vi /etc/issue.net

A typical legal warning banner looks like this:

*******************************************************************************
                            AUTHORISED ACCESS ONLY

This system is the property of Example Corporation. Unauthorised access or use
is strictly prohibited and may be subject to criminal prosecution under the
Computer Fraud and Abuse Act (18 U.S.C. § 1030) and other applicable laws.

By logging in, you acknowledge that:
  - You are an authorised user of this system.
  - Your activities may be monitored and recorded.
  - There is no expectation of privacy on this system.

If you are not an authorised user, disconnect immediately.
*******************************************************************************

Next, enable the banner in /etc/ssh/sshd_config. Open the file and locate or add the Banner directive:

vi /etc/ssh/sshd_config

# Find and set the Banner line:
Banner /etc/issue.net

Reload the SSH daemon to apply the change:

systemctl reload sshd

Test by connecting from another terminal:

ssh testuser@localhost

The banner text should appear before the password prompt.

Step 3: Configure the Post-Login Message with /etc/motd

The /etc/motd file is displayed after successful authentication. It is a good place for operational notices: maintenance windows, change freeze periods, or system-specific instructions.

vi /etc/motd

===========================================================================
  Production Server: web01.example.com
  Environment:       PRODUCTION — changes require CAB approval
  Maintenance:       Every Sunday 02:00–04:00 UTC
  Issues/Requests:   [email protected] | Ext. 1234
===========================================================================

The MOTD is displayed by PAM via the pam_motd module. Check that it is enabled in /etc/pam.d/sshd:

grep pam_motd /etc/pam.d/sshd

You should see a line like:

session    optional     pam_motd.so

If it is missing or commented out, add it to the session section of /etc/pam.d/sshd.

Step 4: Control SSH MOTD Display via sshd_config

The SSH daemon has two directives that interact with post-login messages:

• PrintMotd yes|no — Controls whether sshd itself prints /etc/motd on login. Defaults to yes.
• PrintLastLog yes|no — Controls whether the last login time and source IP are displayed. Defaults to yes.

vi /etc/ssh/sshd_config

# Keep MOTD display enabled
PrintMotd yes

# Show the last login timestamp (useful for detecting unauthorised access)
PrintLastLog yes

If PAM is already printing the MOTD via pam_motd, having both PrintMotd yes in sshd_config and the PAM module active can cause the MOTD to be displayed twice. To avoid duplication, set PrintMotd no in sshd_config and rely on PAM alone, or remove the pam_motd line from /etc/pam.d/sshd and rely on sshd alone.

systemctl reload sshd

Step 5: Create Dynamic MOTD with /etc/profile.d/ Scripts

Static messages in /etc/motd quickly become stale. A better approach for operational information is to generate the content dynamically at login time using a shell script placed in /etc/profile.d/. Scripts in this directory are sourced for every interactive login shell.

vi /etc/profile.d/login-info.sh

#!/bin/bash
# Dynamic login information — displayed at every interactive login

echo ""
echo "  Hostname:    $(hostname -f)"
echo "  Kernel:      $(uname -r)"
echo "  Uptime:      $(uptime -p)"
echo "  CPU Load:    $(cat /proc/loadavg | awk '{print $1, $2, $3}')"
echo "  Memory:      $(free -h | awk '/^Mem:/ {print $3 " used / " $2 " total"}')"
echo "  Disk (/):    $(df -h / | awk 'NR==2 {print $3 " used / " $2 " total (" $5 " full)"}')"
echo "  Users:       $(who | wc -l) logged in"
echo "  Date:        $(date)"
echo ""

chmod +x /etc/profile.d/login-info.sh

The next time any user logs in interactively, they will see the current system stats. This works for both SSH sessions and local console logins. Note that this only fires for interactive shells; non-interactive SSH sessions (such as automated scp transfers) will not trigger it.

Step 6: Disable Unwanted Default MOTD Components

On a minimal RHEL 7 install the default MOTD is usually empty, but some environments have PAM or system packages that add their own content. Common sources of unwanted messages include:

• /etc/motd — Edit or empty this file: echo "" > /etc/motd
• /etc/update-motd.d/ — If this directory exists (more common on Ubuntu, but occasionally present), make scripts non-executable: chmod -x /etc/update-motd.d/*
• pam_motd.so in /etc/pam.d/sshd — Comment out the line to suppress PAM MOTD entirely.
• News/mail notices from pam_mail — Disable the pam_mail.so line in /etc/pam.d/sshd if you do not want mail notifications at login.

# Silence PAM mail notification at login
vi /etc/pam.d/sshd

# Comment out this line if present:
# session    optional     pam_mail.so standard noenv  # Displays mail

# After any sshd_config change, always reload:
systemctl reload sshd

Step 7: Verify the Configuration

Test the full login experience as an unprivileged user to confirm banners are displayed correctly and in the right order:

# From another session or terminal
ssh -o StrictHostKeyChecking=no [email protected]

Expected order of messages:

1. The pre-login banner from /etc/issue.net (appears before password prompt).
2. Password or key authentication.
3. Last login line (if PrintLastLog yes).
4. Contents of /etc/motd (static operational notice).
5. Output from /etc/profile.d/login-info.sh (dynamic system stats).

If the banner does not appear before the prompt, double-check that the Banner directive in /etc/ssh/sshd_config is uncommented, points to the correct file, and that systemctl reload sshd has been run.

Conclusion

Properly configured SSH banners serve two purposes simultaneously: they fulfil legal and compliance requirements by providing notice of monitoring and authorised-use policies before authentication, and they give operators a clean channel for delivering operational information after login. On RHEL 7, the combination of /etc/issue.net for pre-login legal text, /etc/motd for static notices, and /etc/profile.d/ scripts for dynamic system information gives you fine-grained control over exactly what every user sees. Keep banners clear and factually accurate, review legal text with your organisation’s counsel, and always test changes by logging in as a regular user to confirm the exact user experience.