Originally Posted by TenTenths
In our recent audit for PCI-DSS Level 2 (and pre-audit for the new "Level 3" requirements) it was agreed that the as long as the banner was displayed it was acceptable, it did not require specific interactive acknowledgement. Obviously auditors / standards may vary, but PCI-DSS (at any level above "self certified") is usually pretty strict.
It is also required of any DoD site that attempts to get DISA approval.
That is where I had to write a custom display manager login for UNIX/Linux systems that was ensured to have the banner displayed before the user could login. The "acceptance" by the user was implied by the act of login. So there was no need to have a special "I accept" entry before the login.
We also had to get an approval that it wasn't necessary for things like scp - as that broke the protocol setup and made the service incompatible with standards.
ssh wasn't a problem - it already had the capability to display a banner before login.