How to Configure User Login Banners in Debian 12 Bookworm System

In this article, we will guide you through the steps to configure user login banners on a Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  7 minute read  

Configuring a login banner on a Debian-based system, particularly on Debian 12 Bookworm, is an essential aspect of system administration. Login banners provide a means of displaying important information or a warning message before users log in. These messages can include system usage policies, legal disclaimers, security warnings, or simply a welcome message. In many environments, especially in corporate or security-conscious setups, login banners are crucial for ensuring users are aware of the system’s rules and regulations.

This article will guide you through the steps to configure user login banners on a Debian 12 Bookworm system. We will cover:

  1. What is a Login Banner?
  2. Why You Should Use Login Banners
  3. Configuring Login Banners in Debian 12 Bookworm
  4. Customizing the Banner with Different Methods
  5. Troubleshooting Login Banner Configuration

1. What is a Login Banner?

A login banner is a message displayed to a user when they log in to a system. It is typically shown after the user connects via a terminal, SSH, or any other login method. This message can be static or dynamic, and it serves as an initial interface for the user before they authenticate.

There are various types of login banners you might encounter:

  • Pre-login Banner: This is shown before the login prompt and can provide legal notices, warnings, or disclaimers.
  • Post-login Banner: This appears after a user successfully logs in but before they gain access to the shell or the desktop environment.

In Debian 12 Bookworm, the configuration of login banners is typically done through files in the /etc directory. These banners are often shown through the terminal or during the SSH connection process.

2. Why You Should Use Login Banners

There are several reasons why configuring a login banner is beneficial:

  • Security: A login banner can be used to warn users about unauthorized access, ensuring that only authorized users are interacting with the system.
  • Compliance: Many organizations and institutions require that users acknowledge security and legal policies before they access the system. Login banners provide a way to display these policies and obtain user acknowledgment.
  • System Administration Transparency: Administrators may want to use the login banner to display system maintenance notifications or important messages to all users logging in.
  • Auditing: Legal disclaimers that users must read before logging in may be required in some industries to protect both the user and the organization from liability in case of unauthorized use.

3. Configuring Login Banners in Debian 12 Bookworm

In Debian 12 Bookworm, configuring a login banner typically involves modifying a few key files. These files are responsible for displaying the banner before or after the user logs in.

Step 1: Enabling the Banner for Terminal and SSH

To configure a login banner in Debian 12 Bookworm, you’ll first need to edit or create specific files. The primary file used for login banners is /etc/motd (Message of the Day). However, if you’re dealing with remote logins (SSH), you’ll need to configure additional settings.

Configuring the Message of the Day (MOTD)

  1. Edit the /etc/motd file:
    The /etc/motd file holds the message that will be shown to users after they log in to the system. If this file does not exist, you can create it.

    Use your preferred text editor to modify or create the file. For example:

    sudo nano /etc/motd

  2. Add your message:
    In this file, you can add any text you’d like to appear when a user logs in, such as legal disclaimers, system information, or security warnings.

    For example:

    **************************************************************
* WARNING: Unauthorized access to this system is prohibited *
* Violators will be prosecuted to the full extent of the law *
**************************************************************

  3. Save and exit:
    After you’ve added your message, save the file and exit the editor.

Configuring the Pre-login Banner for SSH

If you’re dealing with remote logins, such as SSH, you’ll need to configure the banner displayed before the login prompt.

  1. Edit the SSH configuration file:
    The file that controls SSH settings is /etc/ssh/sshd_config. To display a banner before the login prompt, you need to specify the file that contains the banner message.

    Open the SSH configuration file for editing:

    sudo nano /etc/ssh/sshd_config

  2. Specify the banner file:
    Locate the Banner directive in the sshd_config file. If it’s commented out (with a # symbol), remove the comment and specify the location of the banner file. For instance, you can use the /etc/issue.net file as the banner.

    For example:

    Banner /etc/issue.net

  3. Save and exit:
    After saving the changes, exit the editor.

  4. Create or modify the /etc/issue.net file:
    The /etc/issue.net file is where you can add the message to be shown before the login prompt during SSH connections.

    Edit the file with your preferred message:

    sudo nano /etc/issue.net

    Add your banner content, such as:

    **************************************************************
* WARNING: Unauthorized access to this system is prohibited *
* Violators will be prosecuted to the full extent of the law *
**************************************************************

  5. Restart SSH service:
    After modifying the sshd_config and issue.net files, you need to restart the SSH service for the changes to take effect.

    sudo systemctl restart sshd

Now, when a user attempts to log in remotely via SSH, the banner message will appear before the login prompt.

Step 2: Configuring the Pre-login Banner for Local Terminal

For local users (those logging in directly on the console or through a virtual terminal), you can also configure the pre-login banner.

  1. Edit /etc/issue file:
    The /etc/issue file contains the banner message shown before the login prompt when a user logs in locally.

    Open it with:

    sudo nano /etc/issue

  2. Add your banner content:
    Just like with /etc/motd and /etc/issue.net, you can add your custom message here. For instance:

    **************************************************************
* Welcome to Debian 12 Bookworm!                             *
* Unauthorized access to this system is prohibited.         *
**************************************************************

  3. Save and exit:
    Save the changes and exit the editor.

  4. Verify the changes:
    After saving, log out and log back in to ensure the banner appears. You should see the banner before the login prompt.

4. Customizing the Banner with Different Methods

In addition to the standard methods of configuring banners, there are a few advanced options for customization:

Dynamic Banner via Scripts

You can create dynamic banners by using scripts that generate messages based on system conditions. For example, a script could show the current system uptime, the number of users logged in, or any other system information.

  1. Create a script:
    Create a simple script that outputs dynamic information.

    Example script /usr/local/bin/banner.sh:

    #!/bin/bash
echo "Welcome to Debian 12 Bookworm!"
echo "System uptime: $(uptime -p)"

  2. Make the script executable:

    sudo chmod +x /usr/local/bin/banner.sh

  3. Configure the banner to use the script:
    You can configure the login system to call this script instead of using a static file.

    In /etc/profile or /etc/bash.bashrc, add:

    /usr/local/bin/banner.sh

Now, each time a user logs in, the dynamic banner will be displayed.

5. Troubleshooting Login Banner Configuration

If you encounter issues with the login banner not displaying, here are a few steps to troubleshoot:

  • Ensure the proper files are configured:
    Check that the correct files are being used for local login (/etc/issue), remote login (/etc/issue.net), and the message of the day (/etc/motd).

  • Check file permissions:
    Verify that the files have appropriate permissions. For example, the /etc/issue, /etc/issue.net, and /etc/motd files should be readable by all users.

    You can check permissions with:

    ls -l /etc/issue /etc/issue.net /etc/motd

  • Restart services:
    If you’re using SSH, ensure that the SSH service has been restarted after making changes to /etc/ssh/sshd_config.

    sudo systemctl restart sshd

  • Test locally and remotely:
    Try logging in both locally and remotely to confirm that the banners are configured properly for both types of sessions.

Conclusion

Configuring user login banners in Debian 12 Bookworm is a straightforward process that can enhance security, user compliance, and system transparency. By modifying files like /etc/issue, /etc/issue.net, and /etc/motd, administrators can display important messages before users log in. Whether you’re looking to provide security warnings, legal disclaimers, or system notifications, these banners can be customized to meet the specific needs of your organization.


< How to Configure User-Specific Shell Environment Settings in Debian 12 BookwormHow to Set Up Password Expiration and Policies in Debian 12 Bookworm >