pam_issue

pam_issue.so [issue=file] [order=number]

issue=file
    Path to the file to display instead of default /etc/issue or /etc/issue.net.

order=number
    Integer specifying the module's position in the PAM stack (lower numbers first).

The pam_issue module is a component of the Pluggable Authentication Modules (PAM) framework in Linux systems. It outputs the contents of /etc/issue (or /etc/issue.net for network sessions like SSH) to users before the authentication prompt, such as during login. This enables system administrators to show customized messages, including welcome banners, legal disclaimers, system status, or security notices.

The module automatically handles colorization if the issue file contains ANSI escape sequences (e.g., \e[1;32m for green text). It operates in the PAM auth or session stack, ensuring the message appears early in the login process.

Configuration occurs in service-specific PAM files like /etc/pam.d/login, /etc/pam.d/sshd, or /etc/pam.d/common-auth. For example, adding auth optional pam_issue.so displays the message before password entry. The default files (/etc/issue for console/TTY, /etc/issue.net otherwise) must be readable by all users (typically mode 644). Failure to read the file results in silent skipping.

This module enhances user experience and compliance by providing pre-login information without requiring changes to programs like login(1) or sshd(8).

File must be world-readable; non-TTY sessions use /etc/issue.net. No output if file unreadable or absent. Supports standard PAM options like debug or quiet.

Add to /etc/pam.d/login:
session optional pam_issue.so issue=/etc/motd

Part of Linux-PAM since early 2000s; developed by the Linux-PAM project for flexible pre-login messaging.

pam_motd(8), login(1), sshd(8), agetty(8)