pam_echo

Usage in PAM configuration files (e.g., /etc/pam.d/common-auth):

module_type control_flag pam_echo.so [options]

auth optional pam_echo.so text="Welcome to the system. Usage is logged."

file=/path/to/message
    Specifies a file from which the message to be displayed should be read. The entire content of the file will be printed.

text="message content"
    Specifies the message directly as a string. If both file and text are provided, text takes precedence.

term=true/false
    Controls whether the message should only be displayed if a TTY (terminal) is attached to the process. The default value is true. Set to false to display messages even without a TTY.

no_newline
    Prevents the module from appending a newline character after the displayed message. Useful if the message itself already includes a newline or for custom formatting.

echo_once
    Ensures that the message is displayed only once per authentication conversation, even if the module is invoked multiple times in the PAM stack.

only_when_needed
    Causes the module to display its message only if there is an authentication prompt or an authentication failure that requires user interaction. This prevents messages from being shown unnecessarily.

The pam_echo.so module is a utility module within the Linux-PAM (Pluggable Authentication Modules) framework. Its primary function is to display arbitrary messages to the user during the authentication or session management process. It does not perform any authentication itself, but rather serves as a means to provide informational, warning, or policy-related messages to the user. This module is typically configured in PAM configuration files (e.g., in /etc/pam.d/) and can be used with auth or session module types. Messages can be supplied directly as a string or read from a specified file. It's often used to remind users of security policies, system usage agreements, or to provide context for authentication prompts. Its non-critical nature allows it to be used with the optional control flag, meaning its failure won't necessarily halt the authentication process.

• pam_echo is designed for simple message display and should not be used for critical security warnings or handling sensitive user input.
• The appearance and display of messages can vary depending on the terminal emulator, application, and PAM-aware service. Messages might be truncated or formatted differently.
• Careful placement within the PAM stack is essential. Placing it too early might display messages before relevant context is established, or too late, making them redundant.

pam_echo is typically configured as an auth or session module type in pam.d files.

• When used as an auth module, messages are displayed during the authentication phase (e.g., before or after username/password prompts).
• When used as a session module, messages are displayed at the start or end of a user session.

This module is particularly useful for:

• Providing legal disclaimers or "banner" messages before login.
• Reminding users about password expiration policies.
• Notifying users about system maintenance or upcoming changes.
• Displaying general welcome messages.

pam(8), pam.conf(5), pam_script(8)