How to easily add an ESXi SSH login message banner
Preparing for some upcoming audits, I noticed one of the checkpoints was to ensure each ESXi host was configured with a warning banner stating the machine is being monitored and audited when someone logs into the ESXi host via SSH. This type of message is something you see on most any company or government computer before you login.
There are two message types that can be used to achieve this, the first being login banner (/etc/issue) and MOTD (/etc/motd). The difference between the two are where they are shown. The login banner is shown between the username and password inputs during login, while the MOTD is displayed after a user has successfully logged into SSH.
How to change ESXi SSH login banner via SSH
For my purposes I’m going to change the login banner so that my disclaimer is shown right away.
- SSH into your host and type:
vi /etc/issue
- Press i on your keyboard to enter insert mode and then type your message to be displayed.
- Press Esc on your keyboard to exit insert mode then type ZZ, which will save and exit VI.
- Finally restart SSH by typing the following:
/etc/init.d/SSH restart
If you would rather your message be shown after login, simply change /etc/issue to /etc/motd in step one above.
How to change ESXi SSH login banner via vSphere client
You can also changes the messages in both web and thick vSphere clients (versions 5.5 and above):
One issue I ran into when using the clients to edit the ESXi SSH login message was adding paragraphs or line breaks in the message (like the screen shot at the top of this post). If you have simple, short messages then editing the Login Banner and/or MOTD via the clients worked great, otherwise using SSH and vi was a better method for me.
Will this survive a reboot of the host? Many things on the root filesystem are not persistent.
Spencer,
Yes, both the login banner and MOTD messages will survive host reboots.
-Michael