Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.
The long answer: you can redirect connections on port 80 to some other port you can open as normal user.
Run as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).
EDIT: as per comment question - to delete the above rule:
# iptables -t nat --line-numbers -n -L
This will output something like:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 8088
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
The rule you are interested in is nr. 2, so to delete it:
# iptables -t nat -D PREROUTING 2
Yes, you can use the pam_echo
plugin:
auth required pam_unix.so
auth optional pam_echo.so file=/etc/ssh/password_banner.txt
This should produce the pam_echo output after password login.
See http://www.linux-pam.org/Linux-PAM-html/sag-pam_echo.html for docs.
Edit: You'll also need to make sure you have UsePAM yes
in your sshd_config
. Replaced password with auth.
Best Answer
You did not specify, what SSH server are you using. I'm assuming OpenSSH.
Note that the SSH banner and the MOTD are two different things.
While almost indistinguishable in an SSH terminal, they have a different behavior, for example, in an SFTP client.
The MOTD is just a text printed on an interactive terminal. So, it won't (and cannot) be sent to SFTP clients, for example (more about that later).
The MOTD is hard-coded to the
/etc/motd
in OpenSSH. You can turn it on/off globally only, using thePrintMotd
directive.On some Linux systems, however, the
PrintMotd
is always off and the MOTD is printed by the PAM stack instead (using thepam_motd
module). In this case you can turn it off via the/etc/pam.d/sshd
or specify a custommotd=
path as a module parameter.The SSH banner is a special SSH 2.0 feature, sent in a specific SSH packet (SSH2_MSG_USERAUTH_BANNER).
As such, even non-terminal clients, like SFTP clients, can process it and display to user. See how the banner displays in WinSCP SFTP/SCP client for example.
The SSH banner is configurable per user (or group or other criteria) in the
sshd_config
using theBanner
and theMatch
directives:See also Disable ssh banner for specific users or ips.
Of course, you can also use a custom implementation for the message/banner. Simply print a message selected using your custom logic from a global profile script.
As with the MOTD, this won't work for non-interactive sessions (the SFTP and alike).
More importantly, not only it won't work, you need to make sure that you print the message for an interactive terminal only. What OpenSSH does automatically for the
/etc/motd
. Either use a global profile script that executes for an interactive terminal only, or print the message conditionally based on value of theTERM
environment variable.If you print the message for non-interactive session, you break any client that uses a strict protocol, such as the SFTP or the SCP, as the client will try to interpret your text message as a protocol message, failing badly.
See for example description of such issue in documentation of WinSCP SFTP/SCP client.
(I'm the author of WinSCP)