pam_motd

This module is typically configured in a PAM service file (e.g., /etc/pam.d/login, /etc/pam.d/sshd) as a session type module.

session optional pam_motd.so [motd=/path/to/file] [motd_dir=/path/to/dir] [noupdate] [warn] [nonr] [debug]

motd=/path/to/file
    Specifies an alternative file to read the static message of the day from, instead of the default /etc/motd.

motd_dir=/path/to/dir
    Specifies an alternative directory to read dynamic messages from. If this option is used, it typically replaces or supplements the default dynamic MOTD directories like /run/motd.d/ and /etc/motd.d/.

noupdate
    Prevents the module from updating the last-display timestamp in /var/run/motd. This timestamp is sometimes used by systems to determine if a new MOTD should be shown.

warn
    If specified, the module will output a warning message to syslog if it fails to open the MOTD file or directory.

nonr
    Suppresses trailing newline characters from each message file displayed, preventing extra blank lines after each included message.

debug
    Enables verbose debug messages, which are typically logged to syslog, for troubleshooting purposes.

pam_motd is a Pluggable Authentication Module (PAM) that is responsible for displaying informational messages to users upon successful login. It typically presents the "message of the day" (MOTD) and other dynamic system information.

The module first displays the static content of the /etc/motd file. Following this, it processes and displays messages from files and executable scripts found in the /run/motd.d/ directory, and then from /etc/motd.d/. These directories allow for dynamic MOTD content, where scripts can generate real-time system status, pending updates, or administrative announcements.

pam_motd is commonly configured as a session module in PAM service files such as /etc/pam.d/login, /etc/pam.d/sshd, and /etc/pam.d/system-auth. Its primary purpose is to ensure that users are informed about relevant system news, maintenance schedules, or critical notices immediately after authentication. The module's execution is typically set as optional so that a failure in displaying the message does not prevent a user from logging in.

• Execution Order: pam_motd processes messages in a specific order: first /etc/motd, then files and executables in /run/motd.d/, and finally those in /etc/motd.d/.
• Permissions: For dynamic MOTD files and scripts in .d/ directories, they must be readable and executable by the user accessing the system. Incorrect permissions can lead to messages not being displayed.
• Security Implications: Be cautious when placing executable scripts in MOTD directories (/run/motd.d/, /etc/motd.d/), as they run with the privileges of the logging-in user. Ensure that these scripts are trusted and do not contain vulnerabilities.
• Terminal Compatibility: The output of MOTD messages can vary depending on the user's terminal emulator. Complex ASCII art or specific formatting may not render correctly on all terminals.

Modern Linux distributions leverage pam_motd to display dynamic information. This is achieved by placing executable scripts or files in /run/motd.d/ and /etc/motd.d/. When a user logs in, pam_motd executes these scripts (if executable) or concatenates their content, allowing for real-time system status reports, administrative announcements, or system-specific warnings to be generated and displayed.

pam_motd is configured as a session module in PAM. This means it is invoked after successful authentication and before the user's session is fully established. It's typically added with the `optional` keyword, ensuring that if the module fails to display the message (e.g., due to file permission issues), the login process is not interrupted.

The concept of a "message of the day" is a long-standing Unix tradition, predating the PAM framework. Historically, login programs would directly display the contents of /etc/motd. With the introduction of Pluggable Authentication Modules (PAM) in the mid-1990s, the responsibility for displaying the MOTD was modularized into pam_motd. This transition allowed administrators to control MOTD display behavior more flexibly through PAM configurations. More recently, the functionality evolved from merely displaying a static file to supporting dynamic messages via scripts in directories like /run/motd.d/ and /etc/motd.d/. This enhancement enables system administrators to provide up-to-date information, such as system load, pending reboots, or package updates, automatically at login.

motd(5), pam(8), login(1), sshd(8), pam_exec(8)