[arch-general] Login Statistics Similar to Centos
Howdy, I recently was playing with a Centos server. One of the things I found interesting about the experience is the information presented on login: Last login: Tue Aug 29 17:38:48 EDT 2017 on pts/0 Last failed login: Tue Aug 29 17:47:31 EDT 2017 from 116.31.116.18 on ssh:notty There were 37 failed login attempts since the last successful login. How can I get Arch to do that same info? I've searched the wiki and forums, but not found anything. Thanks, Storm -- Powered by Arch Linux! I am registered Linux user number 508465: https://linuxcounter.net/user/508465.html My blog, Thoughts of a Dragon: http://www.stormdragon.tk/ get my public PGP key: gpg --keyserver wwwkeys.pgp.net --recv-key 43DDC193 "I am your soul insane" Slayer - Gemini
On Tue, Aug 29, 2017 at 05:57:46PM -0400, Storm Dragon via arch-general wrote:
Howdy, I recently was playing with a Centos server. One of the things I found interesting about the experience is the information presented on login:
Last login: Tue Aug 29 17:38:48 EDT 2017 on pts/0 Last failed login: Tue Aug 29 17:47:31 EDT 2017 from 116.31.116.18 on ssh:notty There were 37 failed login attempts since the last successful login.
How can I get Arch to do that same info? I've searched the wiki and forums, but not found anything.
man 8 pam_lastlog Cheers, -- Leonid Isaev
On 08/30/2017 12:19 AM, Leonid Isaev via arch-general wrote:
man 8 pam_lastlog
For your kind info, calling pam_lastlog.so like described in the man
pages is segfaulting on my side.
$ /usr/lib/security/pam_lastlog.so
Segmentation fault (core dumped)
I cannot debug further since it hasn't been build with gdb debug
symbols, but this is likely to this issue. [1]
[1] https://www.redhat.com/archives/pam-list/2014-August/msg00003.html
--
--
William Gathoye
On 09/01/2017 02:11 PM, William Gathoye wrote:
On 08/30/2017 12:19 AM, Leonid Isaev via arch-general wrote:
man 8 pam_lastlog
For your kind info, calling pam_lastlog.so like described in the man pages is segfaulting on my side.
$ /usr/lib/security/pam_lastlog.so Segmentation fault (core dumped)
I cannot debug further since it hasn't been build with gdb debug symbols, but this is likely to this issue. [1]
[1] https://www.redhat.com/archives/pam-list/2014-August/msg00003.html
You don't execute pam_lastlog.so directly. [root@centos7test pam.d]# pwd /etc/pam.d [root@centos7test pam.d]# cat login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth ***auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth ***session include postlogin -session optional pam_ck_connector.so (*** prefixed for emphasis. Do not actually put those in a pam config.) [root@centos7test pam.d]# cat postlogin #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet ***session [default=1] pam_lastlog.so nowtmp showfailed ***session optional pam_lastlog.so silent noupdate showfailed (*** prefixed for emphasis. Do not actually put those in a pam config.) As shown, pam is calling the pam_lastlog.so object (which is why you can't execute it; it's not an executable, it's a Shared Object). To do this over SSH, /etc/ssh/sshd_config has UsePam yes (and PrintLastLog yes is enabled by default) -- brent saner https://www.square-r00t.net
On 09/01/2017 08:26 PM, brent s. wrote:
You don't execute pam_lastlog.so directly.
As shown, pam is calling the pam_lastlog.so object (which is why you can't execute it; it's not an executable, it's a Shared Object).
Ok. Actually, I saw this was a shared object, and I wondered this is the first time was seeing a SO which was executable. This confirms y assumption :)
To do this over SSH, /etc/ssh/sshd_config has UsePam yes (and PrintLastLog yes is enabled by default)
I already did knew about this PrintLastLog feature but I wasn't aware
this was PAM responsible of that (I thought this was sshd looking in
wtmp or lastlog manually).
Btw, do you know how to achieve the same behavior but on TTY or in GUI
opening a shell console (then added in the shell conf, like bashrc)? Do
you think we need to parse the output of the "last" command manually, or
do you have any other solution avoiding to reinvent the wheel?
Regards,
--
--
William Gathoye
On 09/01/2017 02:38 PM, William Gathoye wrote:
I already did knew about this PrintLastLog feature but I wasn't aware this was PAM responsible of that (I thought this was sshd looking in wtmp or lastlog manually).
Btw, do you know how to achieve the same behavior but on TTY or in GUI opening a shell console (then added in the shell conf, like bashrc)? Do you think we need to parse the output of the "last" command manually, or do you have any other solution avoiding to reinvent the wheel?
See my last reply. the lastlog stats will print for both TTY and SSH. (From recollection, though, sshd's PrintLastLog is different from PAM's lastlog printing.) Anyways, no need to much about with bashrc. PAM itself prints the lastlog if that module's loaded. I assume. as for a desktop environment... that's a whole 'nother ballgame. You'd want to hook into the messaging/notification system for the DE in that case. -- brent saner https://www.square-r00t.net
On Fri, Sep 01, 2017 at 08:38:24PM +0200, William Gathoye wrote:
On 09/01/2017 08:26 PM, brent s. wrote:
You don't execute pam_lastlog.so directly.
As shown, pam is calling the pam_lastlog.so object (which is why you can't execute it; it's not an executable, it's a Shared Object).
Ok. Actually, I saw this was a shared object, and I wondered this is the first time was seeing a SO which was executable. This confirms y assumption :)
Most .so files are executable, albeit for historic reasons... And you don't need to directly execute it. The manpage even has EXAMPLES section that explains how to hook pam_lastlog into your PAM setup. You most likely need to call is with some arguments. For instance, on a fedora 26 system: ---------- : grep pam_lastlog /etc/pam.d/postlogin-ac session [default=1] pam_lastlog.so nowtmp silent session optional pam_lastlog.so silent noupdate showfailed ---------- Cheers, -- Leonid Isaev
On Fri, 1 Sep 2017 14:26:24 -0400, brent s. wrote:
it's not an executable
Good point! I was half asleep when I replied. Anyway, the advice how to build with debug symbols could be useful for the future ;).
On Fri, 1 Sep 2017 20:11:29 +0200, William Gathoye wrote:
I cannot debug further since it hasn't been build with gdb debug symbols
Hi, you need to build it and probably, not necessarily, one or the other dependency yourself: [rocketmouse@archlinux tmp]$ pacman -Qo /usr/lib/security/pam_lastlog.so /usr/lib/security/pam_lastlog.so is owned by pam 1.3.0-1 [rocketmouse@archlinux tmp]$ asp checkout pam [snip] [rocketmouse@archlinux tmp]$ ls -hl pam/trunk/PKGBUILD -rw-r--r-- 1 rocketmouse rocketmouse 2.1K Sep 1 20:25 pam/trunk/PKGBUILD https://wiki.archlinux.org/index.php/Debug_-_Getting_Traces#General [rocketmouse@archlinux tmp]$ pacman -Qi pam | grep Depends\ On Depends On : glibc cracklib libtirpc pambase Regards, Ralf
participants (5)
-
brent s.
-
Leonid Isaev
-
Ralf Mardorf
-
Storm Dragon
-
William Gathoye