Discussion:
Login Statistics Similar to Centos
(too old to reply)
Storm Dragon via arch-general
2017-08-29 21:57:46 UTC
Permalink
Raw Message
Howdy,
I recently was playing with a Centos server. One of the things I found interesting about the experience is the information presented on login:

Last login: Tue Aug 29 17:38:48 EDT 2017 on pts/0
Last failed login: Tue Aug 29 17:47:31 EDT 2017 from 116.31.116.18 on ssh:notty
There were 37 failed login attempts since the last successful login.

How can I get Arch to do that same info? I've searched the wiki and forums, but not found anything.
Thanks,
Storm
--
Powered by Arch Linux! I am registered Linux user number 508465: https://linuxcounter.net/user/508465.html
My blog, Thoughts of a Dragon: http://www.stormdragon.tk/
get my public PGP key: gpg --keyserver wwwkeys.pgp.net --recv-key 43DDC193
"I am your soul insane"
Slayer - Gemini
Leonid Isaev via arch-general
2017-08-29 22:19:44 UTC
Permalink
Raw Message
Post by Storm Dragon via arch-general
Howdy,
Last login: Tue Aug 29 17:38:48 EDT 2017 on pts/0
Last failed login: Tue Aug 29 17:47:31 EDT 2017 from 116.31.116.18 on ssh:notty
There were 37 failed login attempts since the last successful login.
How can I get Arch to do that same info? I've searched the wiki and forums,
but not found anything.
man 8 pam_lastlog

Cheers,
--
Leonid Isaev
William Gathoye
2017-09-01 18:11:29 UTC
Permalink
Raw Message
Post by Leonid Isaev via arch-general
man 8 pam_lastlog
For your kind info, calling pam_lastlog.so like described in the man
pages is segfaulting on my side.

$ /usr/lib/security/pam_lastlog.so
Segmentation fault (core dumped)

I cannot debug further since it hasn't been build with gdb debug
symbols, but this is likely to this issue. [1]


[1] https://www.redhat.com/archives/pam-list/2014-August/msg00003.html
--
--
William Gathoye
<william+***@gathoye.be>
brent s.
2017-09-01 18:26:24 UTC
Permalink
Raw Message
Post by William Gathoye
Post by Leonid Isaev via arch-general
man 8 pam_lastlog
For your kind info, calling pam_lastlog.so like described in the man
pages is segfaulting on my side.
$ /usr/lib/security/pam_lastlog.so
Segmentation fault (core dumped)
I cannot debug further since it hasn't been build with gdb debug
symbols, but this is likely to this issue. [1]
[1] https://www.redhat.com/archives/pam-list/2014-August/msg00003.html
You don't execute pam_lastlog.so directly.

[***@centos7test pam.d]# pwd
/etc/pam.d
[***@centos7test pam.d]# cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth substack system-auth
***auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed
in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
***session include postlogin
-session optional pam_ck_connector.so


(*** prefixed for emphasis. Do not actually put those in a pam config.)

[***@centos7test pam.d]# cat postlogin
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.


session [success=1 default=ignore] pam_succeed_if.so service !~ gdm*
service !~ su* quiet
***session [default=1] pam_lastlog.so nowtmp showfailed
***session optional pam_lastlog.so silent noupdate showfailed


(*** prefixed for emphasis. Do not actually put those in a pam config.)



As shown, pam is calling the pam_lastlog.so object (which is why you
can't execute it; it's not an executable, it's a Shared Object).

To do this over SSH, /etc/ssh/sshd_config has UsePam yes (and
PrintLastLog yes is enabled by default)
--
brent saner
https://www.square-r00t.net
William Gathoye
2017-09-01 18:38:24 UTC
Permalink
Raw Message
Post by brent s.
You don't execute pam_lastlog.so directly.
As shown, pam is calling the pam_lastlog.so object (which is why you
can't execute it; it's not an executable, it's a Shared Object).
Ok. Actually, I saw this was a shared object, and I wondered this is the
first time was seeing a SO which was executable. This confirms y
assumption :)
Post by brent s.
To do this over SSH, /etc/ssh/sshd_config has UsePam yes (and
PrintLastLog yes is enabled by default)
I already did knew about this PrintLastLog feature but I wasn't aware
this was PAM responsible of that (I thought this was sshd looking in
wtmp or lastlog manually).

Btw, do you know how to achieve the same behavior but on TTY or in GUI
opening a shell console (then added in the shell conf, like bashrc)? Do
you think we need to parse the output of the "last" command manually, or
do you have any other solution avoiding to reinvent the wheel?

Regards,
--
--
William Gathoye
<william+***@gathoye.be>
brent s.
2017-09-01 18:42:31 UTC
Permalink
Raw Message
Post by William Gathoye
I already did knew about this PrintLastLog feature but I wasn't aware
this was PAM responsible of that (I thought this was sshd looking in
wtmp or lastlog manually).
Btw, do you know how to achieve the same behavior but on TTY or in GUI
opening a shell console (then added in the shell conf, like bashrc)? Do
you think we need to parse the output of the "last" command manually, or
do you have any other solution avoiding to reinvent the wheel?
See my last reply. the lastlog stats will print for both TTY and SSH.
(From recollection, though, sshd's PrintLastLog is different from PAM's
lastlog printing.)

Anyways, no need to much about with bashrc. PAM itself prints the
lastlog if that module's loaded. I assume.

as for a desktop environment... that's a whole 'nother ballgame. You'd
want to hook into the messaging/notification system for the DE in that case.
--
brent saner
https://www.square-r00t.net
Leonid Isaev via arch-general
2017-09-01 19:41:40 UTC
Permalink
Raw Message
Post by William Gathoye
Post by brent s.
You don't execute pam_lastlog.so directly.
As shown, pam is calling the pam_lastlog.so object (which is why you
can't execute it; it's not an executable, it's a Shared Object).
Ok. Actually, I saw this was a shared object, and I wondered this is the
first time was seeing a SO which was executable. This confirms y
assumption :)
Most .so files are executable, albeit for historic reasons... And you don't
need to directly execute it. The manpage even has EXAMPLES section that
explains how to hook pam_lastlog into your PAM setup. You most likely need to
call is with some arguments. For instance, on a fedora 26 system:
----------
: grep pam_lastlog /etc/pam.d/postlogin-ac
session [default=1] pam_lastlog.so nowtmp silent
session optional pam_lastlog.so silent noupdate showfailed
----------

Cheers,
--
Leonid Isaev
Ralf Mardorf
2017-09-01 18:41:01 UTC
Permalink
Raw Message
Post by brent s.
it's not an executable
Good point! I was half asleep when I replied.

Anyway, the advice how to build with debug symbols could be useful for
the future ;).
Ralf Mardorf
2017-09-01 18:31:48 UTC
Permalink
Raw Message
Post by William Gathoye
I cannot debug further since it hasn't been build with gdb debug
symbols
Hi,

you need to build it and probably, not necessarily, one or the other
dependency yourself:

[***@archlinux tmp]$ pacman -Qo /usr/lib/security/pam_lastlog.so
/usr/lib/security/pam_lastlog.so is owned by pam 1.3.0-1
[***@archlinux tmp]$ asp checkout pam
[snip]
[***@archlinux tmp]$ ls -hl pam/trunk/PKGBUILD
-rw-r--r-- 1 rocketmouse rocketmouse 2.1K Sep 1 20:25 pam/trunk/PKGBUILD

https://wiki.archlinux.org/index.php/Debug_-_Getting_Traces#General

[***@archlinux tmp]$ pacman -Qi pam | grep Depends\ On
Depends On : glibc cracklib libtirpc pambase

Regards,
Ralf
Loading...