Effective communication within a high-available cloud or network infrastructure begins at the point of shell entry. The Motd Customization Guide focuses on the strategic deployment of the Message of the Day (MOTD) banner, which serves as a critical interface for systems administrators and security auditors. In complex environments, such as energy grid management or telecommunications backbones, the MOTD is not merely a welcome message; it is a live dashboard and legal enforcement tool. It provides immediate visibility into system health, pending updates, and authorized usage policies. By centralizing vital metrics like CPU load, memory transition, and active security breaches at login, engineers can reduce the time-to-knowledge during critical incidents. This guide addresses the challenge of static, uninformative login screens by implementing a dynamic, multi-scripted architecture that balances system latency against the value of real-time data delivery. Properly configured, the MOTD acts as an idempotent reporting layer that maintains consistency across thousands of nodes within a fleet.
TECHNICAL SPECIFICATIONS
| Requirement | Default Port/Range | Protocol/Standard | Impact Level (1-10) | Recommended Resources |
| :— | :— | :— | :— | :— |
| OpenSSH Server | 22 / TCP | SSHv2 / RFC 4253 | 9 | 10MB RAM / 1% CPU |
| PAM (pam_motd) | N/A | Linux PAM | 7 | Negligible |
| update-motd.d | N/A | POSIX Shell | 6 | Minimal I/O Overhead |
| Terminal Support | ANSI / xterm | ISO/IEC 6429 | 4 | No Hardware Load |
| Script Execution | 0755 Permissions | Bash / Python | 8 | 512MB RAM minimum |
THE CONFIGURATION PROTOCOL
Environment Prerequisites:
Before initiating the configuration, the system must adhere to specific administrative standards. At the software level, Ubuntu 20.04 LTS or higher, Debian 11+, or RHEL 8/9 systems using the update-motd framework are required. The user must possess sudo or root privileges to modify files within the /etc/ directory. From a compliance perspective, ensure the banner content aligns with ISO 27001 or NIST 800-53 standards regarding notice-and-consent for information system access. Access to the sshd_config file is mandatory to ensure the SSH daemon is configured to display the generated banner.
Section A: Implementation Logic:
The logic of a professional MOTD resides in the modularity of the update-motd.d directory. Unlike a static file located at /etc/motd, the dynamic framework executes a series of scripts in numerical order during the login sequence. This design follows the principle of encapsulation: each script is responsible for a specific data payload, such as network throughput metrics or disk saturation levels. When a user authenticates, the pam_motd module triggers these scripts. To minimize login latency, the output should be concise. If high concurrency is expected on a jump-server, the scripts should favor cached data over real-time intensive queries to prevent significant overhead that could delay shell availability for incoming administrators.
Step-By-Step Execution
1. Verification of the PAM Stack
Execute a check on the Pluggable Authentication Module configuration by targeting grep -r “pam_motd” /etc/pam.d/.
System Note: Investigating this file ensures that pam_motd.so is active. If this module is commented out or missing, the kernel will not trigger the MOTD generation scripts during the session initialization, rendering any customization invisible.
2. Sanitizing the Directory
Navigate to /etc/update-motd.d/ and list the existing assets via ls -l.
System Note: Most distributions include default scripts (e.g., 10-help-text, 50-motd-news). These often connect to external third-party servers, which can introduce latency and potential privacy leaks. Removing execution bits with chmod -x on these files prevents their execution by the run-parts logic.
3. Constructing the Header Logic
Create a new file named 00-header using sudo nano /etc/update-motd.d/00-header. Insert a script that captures the system hostname and kernel version.
System Note: Using the hostnamectl command within this script allows the MOTD to pull data directly from the systemd host attributes. This ensures that the first payload the administrator sees confirms they are on the correct physical or virtual asset.
4. Integrating Hardware Telemetry
Develop a script named 20-sysinfo to monitor thermal-inertia indicators and resource usage. Use free -m and uptime variables.
System Note: This script uses the awk utility to parse the /proc/loadavg file. By calculating the load average directly from the kernel interface, the administrator receives a high-fidelity snapshot of system state without the need for installing external monitoring agents that could increase the attack surface.
5. Network Throughput and Latency Reporting
Implement a diagnostic script named 30-network that utilizes ip -s link.
System Note: This logic examines the network interface controllers (NICs). By displaying current transmission (TX) and reception (RX) errors, the MOTD highlights potential signal-attenuation or packet-loss before the admin even issues a manual diagnostic command.
6. Permissions and Execution Test
Apply the necessary execution bits using sudo chmod +x /etc/update-motd.d/* and test the output with sudo run-parts /etc/update-motd.d/.
System Note: The chmod 755 command ensures that the system user responsible for the login process has the rights to execute these scripts. If permissions are set incorrectly, the pam_motd module will fail silently, leading to a blank or incomplete banner.
Section B: Dependency Fault-Lines:
The primary bottleneck in MOTD customization is the execution time of external binaries. If a script within /etc/update-motd.d/ attempts to perform a network-based update check (e.g., apt-get update), the login latency will increase significantly. This can be misinterpreted as a network failure or a brute-force mitigation delay. Furthermore, shell incompatibilities can arise if scripts use “bashisms” while the system default is set to sh or dash. Always ensure the shebang (#!/bin/bash) is explicitly defined to maintain idempotent behavior across different Linux distributions.
THE TROUBLESHOOTING MATRIX
Section C: Logs & Debugging:
When the MOTD fails to display, the first point of inspection is /var/log/auth.log or the journalctl -u ssh output. Look for the error string “pam_motd: error executing /etc/update-motd.d/”. This usually indicates a syntax error within one of the custom scripts. If the banner appears “stale” (displaying old data), check for a static file at /etc/motd.static or /run/motd.dynamic. On many systems, the dynamic banner is cached in /run/ to improve performance; if the scripts are failing to update this cache, verify that the /run filesystem (usually a tmpfs) has sufficient space and has not switched to read-only mode due to underlying kernel faults. Visual cues: if colors are appearing as raw escape codes (e.g., ^[[31m), verify that the terminal emulator supports ANSI color encapsulation.
OPTIMIZATION & HARDENING
– Performance Tuning: To manage high concurrency on production gateways, refrain from running heavy logic-controllers during login. Instead, utilize a cron job to run the scripts every 5 minutes and redirect the output to a static file. Use the PrintMotd directive in /etc/ssh/sshd_config to point to this pre-generated file. This reduces the CPU overhead at the exact moment of authentication.
– Security Hardening: Ensure that no script within update-motd.d is world-writable (chmod 777 is strictly forbidden). An attacker with low-level access could modify these scripts to escalate privileges or execute malicious payloads when an administrator logs in. Firewall rules should restrict outbound traffic from these scripts; they should never pull data from the public internet during the login phase to prevent “hang” scenarios if a remote repository is down.
– Scaling Logic: In a clustered environment, use configuration management tools like Ansible or Terraform to push the MOTD scripts across the entire fleet. By using variables for the site location and rack number, the MOTD becomes a localized roadmap for datacenter technicians.
THE ADMIN DESK
Why does my MOTD take 10 seconds to load?
This is typically caused by DNS resolution delays or script-based update checks. Ensure all scripts in /etc/update-motd.d/ use local system calls only. Use time run-parts /etc/update-motd.d/ to identify the specific script causing the latency.
How do I add red alert colors for high load?
Use ANSI escape codes within your shell scripts. For example: if [ $LOAD -gt 5 ]; then echo -e “\e[31mCRITICAL LOAD\e[0m”; fi. This provides an immediate visual signal regarding system health without increasing the data payload.
Can I display the MOTD to non-SSH users?
Yes. While pam_motd handles SSH, local TTY logins use the login binary. Ensure /etc/pam.d/login also contains the pam_motd reference. This ensures consistent infrastructure visibility across physical consoles and remote serial connections.
Is there a way to hide the last login information?
Edit /etc/ssh/sshd_config and set PrintLastLog no. While this cleans up the banner, it is often discouraged by auditors because the last login timestamp is a key indicator of unauthorized account access and should remain visible.
My MOTD script works manually but not at login. Why?
This usually stems from environment variable discrepancies. Scripts running at login have a limited PATH. Always use absolute file paths (e.g., /usr/bin/uptime instead of just uptime) to ensure the shell can locate the necessary binaries.