Problem with showing failed login attempts using pam_lastlog.so

Ronayn · 01-28-2013, 09:26 AM

Hello,

I have a computer with Fedora 14 installed. By default, it shows the last login when I login. However, I want it to also show any failed login attempts.

I've researched PAM on how to do this, and have implemented the solution provided by the man page (and confirmed by several web pages). The problem is, this solution causes the last login line to appear twice -- and with two different times!

When reading the man page, it mentions that some modules will show the last login by default (hence you dont need pam_lastlog if the only thing you want is to show the last login), but I want the last login AND the failed login attempts (with no repeating lines).

Any help would be appreciated!

kbp · 01-28-2013, 05:14 PM

I ran into the same problem a while back .. try this:

Code:

cat <<EOF >> /etc/ssh/sshd_config
# Disabled here, added to /etc/pam.d/sshd to show failed logins
PrintLastLog no
EOF

grep -e '^UsePAM.*' /etc/ssh/sshd_config >/dev/null 2>&1
if [[ $? -ne 0 ]]
then
cat << EOF >> /etc/ssh/sshd_config
UsePAM yes
EOF
else
perl -pi -e 's/^UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
fi

cat <<EOF >> /etc/pam.d/login
session     required      pam_lastlog.so noupdate showfailed
EOF

cat <<EOF >> /etc/pam.d/sshd
session     required      pam_lastlog.so noupdate showfailed
EOF

You may want to make the changes manually, these were specifically for RHEL in a known state and don't have enough defensive coding around them.

BTW .. you really should use a newer version of Fedora.. 14 is no longer supported

Ronayn · 01-29-2013, 08:04 AM

Hello kbp,

Thanks for the input. I applied those changes, but the problem still remains. The only difference is now the second last login line has the same time as the first.

BTW, I am testing changes like this in a console window on the actual machine so I can log in w/o going through GDM or SSH. I've tried using similar session lines in different parts of /etc/pam.d/login, but it makes no difference.

Some PAM module is printing out that last login w/o being asked to -- I just dont know which it is, or if I can even turn it off.

kbp · 01-29-2013, 07:35 PM

Did you restart sshd?

Ronayn · 01-30-2013, 05:55 AM

Quote:

Originally Posted by kbp

Did you restart sshd?

Hello kbp,

Thanks again for your input. In answer to question: Yes

Fortunately, I've had to work on SSH before, so I am very familiar with the need to restart the service after any change.

I am curious about one thing -- what would SSH have to do with a normal login at the console? I mean, I know I'd have to change it there too, for remote secure logins. But right now I'd settle for getting the console login looking right. Can I ignore SSH for now? (Or is there some relationship between a normal login at the console and SSH?)

kbp · 01-30-2013, 04:59 PM

No .. you're correct, there is no relationship between them, have you tried adding the pam_lastlog line to /etc/pam.d/system-auth ?

cj_cheema · 02-03-2015, 02:43 AM

Code:

cat <<EOF >> /etc/pam.d/login
session     required      pam_lastlog.so noupdate showfailed
EOF

cat <<EOF >> /etc/pam.d/sshd
session     required      pam_lastlog.so noupdate showfailed
EOF

Adding the above file in respective file has solved my issue. Thanks Kbp.

Regards
CJ