Build a Useful Linux Login Banner On AWS With Ansible | by Tate Galbraith | Mar, 2022

Photograph by Lukas on Unsplash

Most default Linux login banners (or MOTD) depart a lot to be desired. The login message isn’t one thing that’s made to be left as is. It’s made to be modified, personalized and prolonged to go well with particular use-cases. Should you steadily entry plenty of totally different cloud or on-premises servers, altering up the banner is nearly a requirement.

The choices for what you possibly can embrace in your login banner are nearly countless. You’ll be able to put every part from primary details about the server itself to a humorous knock-knock joke of the day. The one restrict is your creativeness.

On this article, we’ll discover not solely the way to change this banner and what to place in it, but in addition the way to deploy it with Ansible and embrace some helpful AWS EC2 data inside.

Scraping EC2 occasion metadata

Should you haven’t used occasion metadata earlier than, you’re in for an actual deal with. Tucked away on most EC2 occasion AMIs is the power to collect primary details about the occasion from inside that occasion’s OS. The occasion exposes a neighborhood self-assigned IP tackle that gives a primary HTTP server for gathering data.

The metadata endpoint is often uncovered on the next self-assigned IPv4 tackle (it is just accessible regionally):

http://169.254.169.254/newest/meta-data/

For instance, from inside the occasion should you wished to acquire the non-public IP you would run:

curl http://169.254.169.254/latest/meta-data/local-ipv4

This could return the non-public IP tackle at present assigned to this occasion.

If we need to pull one thing like this into Ansible, all we’ve to do is make a easy internet request from inside our playbook. It could look one thing like this:

- identify: Get EC2 occasion metadata
uri:
url: "http://169.254.169.254/latest/meta-data/local-ipv4"
return_content: true
register: ec2_local_ip

As soon as this activity completes, the non-public IP can be saved contained in the ensuing content material key of the ec2_local_ip variable.

Should you wished to tug a extra wealthy set of metadata concerning the occasion you would use one thing known as the “identity document”. This can be a JSON blob full of knowledge like occasion sort, non-public IP and extra.

The identification doc will be retrieved from the next path:

http://169.254.169.254/latest/dynamic/instance-identity/document

Be aware that this falls underneath the dynamic information and never meta-data key.

It appears one thing like this:


"accountId" : "123456789",
"structure" : "x86_64",
"availabilityZone" : "us-west-1a",
"billingProducts" : null,
"devpayProductCodes" : null,
"marketplaceProductCodes" : null,
"imageId" : "ami-123456789",
"instanceId" : "i-00001234567890",
"instanceType" : "t2.micro",
"kernelId" : null,
"pendingTime" : "2022-01-21T00:47:18Z",
"privateIp" : "192.168.1.5",
"ramdiskId" : null,
"area" : "us-west-1",
"model" : "2017-09-30"

So as to retrieve this in Ansible, we’ll use a barely totally different model of our request activity and set a brand new variable:

- identify: Get the occasion identification doc
uri:
url: "http://169.254.169.254/latest/dynamic/instance-identity/document"
return_content: true
register: identity_doc
- set_fact:
instance_metadata: " identity_doc.json "

After this set of duties completes we can be left with our identification doc’s JSON blob loaded into the variable known as instance_metadata.

Now, let’s have a look at the way to construct out the fundamental playbook to truly change the banner with a few of this information.

Constructing the playbook

So as to change the banner we’ll must setup a easy activity inside our playbook for this. In nearly all circumstances, you’ll simply need to change the entire banner with one thing customized. On this instance we can be templating all the file:

- identify: Change MOTD banner
template:
src: motd.j2
dest: /and so on/motd
register: motd_file
- identify: Restart ssh when up to date
service:
identify: ssh
state: restarted
when: motd_file.modified

Within the activity above we’re taking our template file and making use of it over prime of the prevailing motd path. Then, assuming the file has been modified, we restart the ssh service. That is essential as a result of the login banner gained’t be picked up except you restart the service.

Be aware: relying in your Linux distribution, the service could also be known as one thing aside from ssh.

Now, let’s have a look at the way to construct the template itself.

Constructing the template

Ansible templates are very highly effective options. Inside a task or a playbook you possibly can setup template information which might be able to producing very advanced textual content layouts. You’ll be able to template configuration information and far more utilizing this engine.

For this instance we are going to interpolate the metadata we gathered and construct a extra aesthetically pleasing structure.

Create a file known as motd.j2 (both inside the templates listing of your function or in the identical listing because the playbook) and let’s begin constructing the fundamental template:

()================================================================()          host:    ansible_host 
kernel: ansible_kernel
instance-id: instance_metadata.instanceId
instance-type: instance_metadata.instanceType
private-ip: instance_metadata.privateIp
()===============================================================()

On this template we’re doing a number of easy issues like formatting with tabs and line breaks, however we additionally pull in plenty of variables from the occasion identification doc together with inside Ansible variables.

Do not forget that in our playbook we’ve saved the identification doc in a variable known as instance_metadata so we will entry it identical to a standard dictionary and reference these variables inside our template.

Let’s check out what the ultimate playbook would seem like.

Placing all of it collectively

Beneath is an instance playbook which might run towards localhost, collect metadata and alter the banner to our new template:

---
- hosts: localhost
duties:
- identify: Get the occasion identification doc
uri:
url: "http://169.254.169.254/latest/dynamic/instance-identity /document"
return_content: true
register: identity_doc
- set_fact:
instance_metadata: " identity_doc.json "
- identify: Change MOTD banner
template:
src: motd.j2
dest: /and so on/motd
register: motd_file
- identify: Restart ssh when up to date
service:
identify: ssh
state: restarted
when: motd_file.modified

Relying in your particular Linux distribution’s SSH configuration you might must replace the SSH daemon’s to help utilizing the MOTD.

In Debian that is positioned in /and so on/ssh/sshd_config. Eradicating or commenting out the Banner line ought to do the trick and permit MOTD to be displayed.

Should you nonetheless run into bother, you may additionally must disable any dynamic MOTD scripts positioned in /and so on/update-motd.d.

When you’ve put every part collectively and run the playbook towards your EC2 host, you need to see a pleasing new login banner just like this:

Dynamic login banner on EC2 host.

Now you should have entry to primary EC2 data proper whenever you login. This protects time and ensures you login to the proper host, with the proper configuration.

You’ll be able to prolong this login banner to function much more data from occasion metadata and Ansible. Should you’re within the temper for one thing extra enjoyable you would add options like Cowsay or Fortune.

More Posts