LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Problem with showing failed login attempts using pam_lastlog.so (https://www.linuxquestions.org/questions/linux-general-1/problem-with-showing-failed-login-attempts-using-pam_lastlog-so-4175447542/)

Ronayn 01-28-2013 09:26 AM
Problem with showing failed login attempts using pam_lastlog.so
 
Hello,

I have a computer with Fedora 14 installed. By default, it shows the last login when I login. However, I want it to also show any failed login attempts.

I've researched PAM on how to do this, and have implemented the solution provided by the man page (and confirmed by several web pages). The problem is, this solution causes the last login line to appear twice -- and with two different times!

When reading the man page, it mentions that some modules will show the last login by default (hence you dont need pam_lastlog if the only thing you want is to show the last login), but I want the last login AND the failed login attempts (with no repeating lines).

Any help would be appreciated!

kbp 01-28-2013 05:14 PM
I ran into the same problem a while back .. try this:
Code:
cat <<EOF >> /etc/ssh/sshd_config
# Disabled here, added to /etc/pam.d/sshd to show failed logins
PrintLastLog no
EOF

grep -e '^UsePAM.*' /etc/ssh/sshd_config >/dev/null 2>&1
if [[ $? -ne 0 ]]
then
cat << EOF >> /etc/ssh/sshd_config
UsePAM yes
EOF
else
perl -pi -e 's/^UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
fi

cat <<EOF >> /etc/pam.d/login
session    required      pam_lastlog.so noupdate showfailed
EOF

cat <<EOF >> /etc/pam.d/sshd
session    required      pam_lastlog.so noupdate showfailed
EOF
You may want to make the changes manually, these were specifically for RHEL in a known state and don't have enough defensive coding around them.

BTW .. you really should use a newer version of Fedora.. 14 is no longer supported

Ronayn 01-29-2013 08:04 AM
Hello kbp,

Thanks for the input. I applied those changes, but the problem still remains. The only difference is now the second last login line has the same time as the first.

BTW, I am testing changes like this in a console window on the actual machine so I can log in w/o going through GDM or SSH. I've tried using similar session lines in different parts of /etc/pam.d/login, but it makes no difference.

Some PAM module is printing out that last login w/o being asked to -- I just dont know which it is, or if I can even turn it off.

kbp 01-29-2013 07:35 PM
Did you restart sshd?

Ronayn 01-30-2013 05:55 AM
Quote:
Originally Posted by kbp (Post 4880291)
Did you restart sshd?
Hello kbp,

Thanks again for your input. In answer to question: Yes :) Fortunately, I've had to work on SSH before, so I am very familiar with the need to restart the service after any change.

I am curious about one thing -- what would SSH have to do with a normal login at the console? I mean, I know I'd have to change it there too, for remote secure logins. But right now I'd settle for getting the console login looking right. Can I ignore SSH for now? (Or is there some relationship between a normal login at the console and SSH?)

kbp 01-30-2013 04:59 PM
No .. you're correct, there is no relationship between them, have you tried adding the pam_lastlog line to /etc/pam.d/system-auth ?

cj_cheema 02-03-2015 02:43 AM
Code:
cat <<EOF >> /etc/pam.d/login
session    required      pam_lastlog.so noupdate showfailed
EOF

cat <<EOF >> /etc/pam.d/sshd
session    required      pam_lastlog.so noupdate showfailed
EOF
Adding the above file in respective file has solved my issue. Thanks Kbp.

Regards
CJ


All times are GMT -5. The time now is 06:28 PM.