diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 4b9be460548..39359ac4293 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -1,6 +1,6 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.
 
-{config, pkgs, ...}:
+{ config, pkgs, ... }:
 
 let
 
@@ -27,6 +27,7 @@ let
       # Uncomment this to allow non-root users to change their account
       #information.  This should be made configurable.
       #CHFN_RESTRICT frwh
+
     '';
 
 in
@@ -90,7 +91,7 @@ in
         { name = "groupmod"; rootOK = true; }
         { name = "groupmems"; rootOK = true; }
         { name = "groupdel"; rootOK = true; }
-        { name = "login"; startSession = true; allowNullPassword = true; }
+        { name = "login"; startSession = true; allowNullPassword = true; showMotd = true; }
       ];
 
     security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 049df0f9958..7293f207ed0 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -29,6 +29,8 @@ let
                  concatStringsSep " " [ domain type item value ])
                 limits));
 
+  motd = pkgs.writeText "motd" config.users.motd;
+
   makePAMService =
     { name
     , # If set, root doesn't need to authenticate (e.g. for the "chsh"
@@ -58,6 +60,8 @@ let
       allowNullPassword ? false
     , # The limits, as per limits.conf(5).
       limits ? config.security.pam.loginLimits
+    , # Whether to show the message of the day.
+      showMotd ? false
     }:
 
     { source = pkgs.writeText "${name}.pam"
@@ -110,6 +114,8 @@ let
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (limits != [])
               "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf limits}"}
+          ${optionalString (showMotd && config.users.motd != null)
+              "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
         '';
       target = "pam.d/${name}";
     };
@@ -201,6 +207,13 @@ in
         '';
     };
 
+    users.motd = mkOption {
+      default = null;
+      example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
+      type = types.nullOr types.string;
+      description = "Message of the day shown to users when they log in.";
+    };
+
   };
 
 
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 163616fdd18..90e0ea2f029 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -358,7 +358,7 @@ in
 
     networking.firewall.allowedTCPPorts = cfg.ports;
 
-    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; };
+    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
 
     services.openssh.extraConfig =
       ''
@@ -390,10 +390,13 @@ in
         GatewayPorts ${cfg.gatewayPorts}
         PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
         ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
+
+        PrintMotd no # handled by pam_motd
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
                     message = "cannot enable X11 forwarding without setting xauth location";}];
+
   };
 
 }