In Unix-like systems, particularly Linux distributions, both /etc/issue and /etc/issue.net serve as pre-login banner files, but they're triggered under different authentication scenarios:
# Typical default content (RHEL example)
$ cat /etc/issue
Red Hat Enterprise Linux Server release 6.10 (Santiago)
Kernel \r on an \m
$ cat /etc/issue.net
Red Hat Enterprise Linux Server release 6.10 (Santiago)
Kernel \r on an \m
The key distinction lies in the connection type:
# /etc/issue appears for:
- Local console logins (tty devices)
- Graphical login managers (GDM, LightDM)
- Direct terminal connections
# /etc/issue.net appears for:
- Remote logins via telnet (though insecure)
- SSH connections (when configured)
- Other network-based login methods
Here's how to customize them differently for security purposes:
# /etc/issue (local login banner)
echo "INTERNAL SYSTEM - Authorized Use Only" > /etc/issue
echo "Logged activities are monitored" >> /etc/issue
# /etc/issue.net (remote login banner)
echo "WARNING: Unauthorized access prohibited" > /etc/issue.net
echo "All connections are logged (IP: \4)" >> /etc/issue.net
You can make these banners dynamic using escape sequences:
# Available escape sequences:
\d - Current date
\l - TTY name
\m - Machine architecture
\n - Hostname
\o - Domain name
\r - OS release
\t - Current time
\s - OS name
\v - OS version
To enable /etc/issue.net display in SSH:
# In /etc/ssh/sshd_config:
Banner /etc/issue.net
# Then restart sshd:
service sshd restart
Best practices for login banners:
1. Never include sensitive system information
2. Avoid revealing OS version details
3. Include legal warning text for compliance
4. Keep remote banners more restrictive
5. Consider localization for multinational teams
Here's an advanced configuration script:
#!/bin/bash
# Generate dynamic banners
cat > /etc/issue < /etc/issue.net < In Linux systems, both /etc/issue and /etc/issue.net serve as pre-login banner files, but they have distinct use cases:
# Typical content example (RHEL/CentOS):
Red Hat Enterprise Linux Server release 6.10 (Santiago)
Kernel \r on an \m
The fundamental distinction lies in their invocation contexts:
/etc/issue: Displayed for local terminal logins (TTY consoles)/etc/issue.net: Displayed for remote logins via telnet (though rarely used in modern systems)
In contemporary systems using SSH (rather than telnet), the behavior is controlled by sshd_config:
# /etc/ssh/sshd_config relevant parameters:
PrintMotd yes
PrintLastLog yes
Banner /etc/issue.net
Important escape sequences for dynamic content:
| Sequence | Meaning |
|---|---|
| \d | Current date |
| \l | Terminal name |
| \m | Machine architecture |
| \n | Nodename |
| \o | Domain name |
| \r | OS release |
Best practices for system hardening:
# Example of secure banner content:
\S
Kernel \r on \m
Unauthorized access prohibited.
All activities are logged.
For SSH-specific banners, consider creating a dedicated file at /etc/ssh/banner instead of using /etc/issue.net.