On Wed, Feb 17, 2016 at 5:47 PM, Lesley Kimmel <lesley.j.kimmel@xxxxxxxxx> wrote: > So I probably shouldn't have said "arbitrary" script. What I really want to > do is to present a terms of service notice (/etc/issue). But I also want to > get the user to actually confirm (by typing 'y') that they accept. If they > try to exit or type anything other than 'y' they will be denied access. I'm > not sure a user can interact with a script being executed by PAM. Also, I > want to differentiate for SCP. I think you're really, really trying to hurt yourself and burning cycles better spent elsewhere on a non-enforcable service agreement. Sun tried this with their Java installer, and it was loathed by *everyone* who's had to cope with it. If your scriptable operations for handling of specific keys are really limited, such as only serving rsync, you might take a look at the "validate-rsync.sh" script published in many places. But I suspect you're simply going to make your user community hate you, since this will break rsync over SSH, sftp, WinSCP based access to sftp or scp, etc. etc. etc. Shoving personal text interactions into a well-defined and very standard API is not a nice thing to do to your users. Nico Kadel-Garcia <nkadel@xxxxxxxxx> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev