| View previous topic :: View next topic |
| Author |
Message |
glacies
n00b
Joined: 08 Jun 2018
Posts: 29
Location: Netherlands
|
 Posted: Sat Jun 09, 2018 5:28 pm Post subject: Double /var/log/lastlog output. |
 |
|
On new Gentoo install, when doing:
The lastlog output prints the same twice:
| Code: | ~$ lastlog
Username Port From Latest
root **Never logged in**
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
root **Never logged in**
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
|
The above example is not from the Gentoo system in question, because that system is off-line right now.
I am trying to understand why /var/log/lastlog is printing the same output twice, because i can not recall this behavior in the past.
I tried to change values in /etc/pam.d/system-login:
| Code: | session required pam_env.so
#session optional pam_lastlog.so
session include system-auth
#session optional pam_motd.so motd=/etc/motd
#session optional pam_mail.so |
Notice the commenting out of;
#pam_mail.so
#pam_motd.so
#pam_lastlog.so
The default in /etc/ssh/sshd_config is:
| Code: | PrintMotd no
PrintLastlog no
|
Changing the sshd_config and /etc/pam.d/system-login, did not change the output of lastlog.
I am sorry if i am lacking information.
Question: Why is lastlog printing the same output twice? |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sat Jun 09, 2018 8:35 pm Post subject: Re: Double /var/log/lastlog output. |
|
|
| glacies wrote: | | Question: Why is lastlog printing the same output twice? |
glacies ... because your /var/log/lastlog contains two entries (probably your user, and root), and so both of these must be checked against the first field of /etc/passwd.
| Code: | % lastlog | grep tty | sort | uniq
khayyam tty1 Fri May 25 15:24:06 +0200 2018
root tty1 Fri May 25 15:21:32 +0200 2018
% lastlog | grep khayyam
khayyam tty1 Fri May 25 15:24:06 +0200 2018
khayyam tty1 Fri May 25 15:24:06 +0200 2018
% lastlog --user khayyam
Username Port From Latest
khayyam tty1 Fri May 25 15:24:06 +0200 2018 |
The first command shows two users (khayyam and root), the second command shows the double entries returned as the result of looking up both entires in /var/log/lastlog, and the third command shows only the entry for '--user,-u'.
best ... khay |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Jun 10, 2018 12:28 am Post subject: |
|
|
i have myself a real different output than you khayyam, and i think more like the user think lastlog should be, well, it would be logical that at least root and maybe his user appears in it (as they were mostly use to log in once). | Code: | Username Port From Latest
root ssh 192.168.0.6 jeu. avril 12 17:42:03 +0200 2018
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
man **Never logged in**
postmaster **Never logged in**
smmsp **Never logged in**
portage **Never logged in**
nobody **Never logged in**
ldap **Never logged in**
sshd **Never logged in**
cron **Never logged in**
rpc **Never logged in**
distcc **Never logged in**
ntp **Never logged in**
krinn :0.0 sam. juin 9 11:22:59 +0200 2018
messagebus **Never logged in**
... (some more users, but no duplicate)
|
ps: yeah i know, i didn't answer to the main question about duplicate entries  |
|
| Back to top |
|
|
glacies
n00b
Joined: 08 Jun 2018
Posts: 29
Location: Netherlands
|
| Posted: Sun Jun 10, 2018 1:36 am Post subject: |
|
|
Hello khayyam, thank you for the quick response.
It could be both root and user entries in /var/log/lastlog, however what i do not understand is that when i did clean install, before X was compiled, lastlog shows only 1 entry, while the root and user account are created.
Then After upgrading the entire system, all of sudden lastlog shows duplicate output.
I am trying to understand this behavior.
one side note, i disabled the root account if that matters with:
| Code: | | sudo passwd root -l |
|
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Jun 10, 2018 7:14 pm Post subject: |
|
|
| glacies wrote: | | It could be both root and user entries in /var/log/lastlog, however what i do not understand is that when i did clean install, before X was compiled, lastlog shows only 1 entry, while the root and user account are created. |
glacies ... it's not the fact that the accounts exist, but that they have a 'lastlog' entry (so, have logged in during this uptime period). Your previous "1 entry" may be due to their being only one user login. I'm not sure this is a bug or not, but krinn's output suggests this only happens when these logins occur on tty ... the next time I reboot I'll test this theory.
| glacies wrote: | Then After upgrading the entire system, all of sudden lastlog shows duplicate output.
I am trying to understand this behavior. |
I should ask, what is it you're trying to do, or is this simply a matter of understanding why it does what it does?
| glacies wrote: | | one side note, i disabled the root account if that matters [...] |
It shouldn't ... but it does make my explanation less likely.
best ... khay |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1043
Location: Somewhere in Denmark
|
| Posted: Sun Jun 10, 2018 8:17 pm Post subject: |
|
|
I noticed that I also have double entries in my lastlog | Code: | ns ~ # lastlog
Username Port From Latest
root pts/0 2001:470:28:4a6: Sun Jun 10 22:14:23 +0200 2018
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
....
root pts/0 2001:470:28:4a6: Sun Jun 10 22:14:23 +0200 2018
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in** |
While last reports root logged in both on pts/0 and ssh (is that how it should be? - there's only ssh-access to the computer) | Code: | ns ~ # last
root pts/0 2001:470:28:4a6: Sun Jun 10 22:14 still logged in
root ssh 2001:470:28:4a6: Sun Jun 10 22:14 still logged in |
|
|
| Back to top |
|
|
glacies
n00b
Joined: 08 Jun 2018
Posts: 29
Location: Netherlands
|
| Posted: Sun Jun 10, 2018 10:18 pm Post subject: |
|
|
| khayyam wrote: |
glacies ... it's not the fact that the accounts exist, but that they have a 'lastlog' entry (so, have logged in during this uptime period). Your previous "1 entry" may be due to their being only one user login. I'm not sure this is a bug or not, but krinn's output suggests this only happens when these logins occur on tty ... the next time I reboot I'll test this theory. |
That could be a good explanation Khayyam, it would be nice if you test, i lack the resources to test at the moment.
| khayyam wrote: |
I should ask, what is it you're trying to do, or is this simply a matter of understanding why it does what it does?
|
It is a matter of understanding why and what it does. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Mon Jun 11, 2018 6:02 am Post subject: |
|
|
| khayyam wrote: | | it's not the fact that the accounts exist, but that they have a 'lastlog' entry (so, have logged in during this uptime period). Your previous "1 entry" may be due to their being only one user login. I'm not sure this is a bug or not, but krinn's output suggests this only happens when these logins occur on tty ... the next time I reboot I'll test this theory. |
| glacies wrote: | | That could be a good explanation Khayyam, it would be nice if you test, i lack the resources to test at the moment. |
glacies ... currently I'm working on meeting a deadline, and can't reboot until I've done so (too much work in progress, open windows, etc). I need to sleep, but I'm pushing to get it done by 12:00 ... and then I imagine I'll be delerious ... so, I don't expect I'll be able to do so until tommorow.
| khayyam wrote: | | I should ask, what is it you're trying to do, or is this simply a matter of understanding why it does what it does? |
| glacies wrote: | | It is a matter of understanding why and what it does. |
Ok, because otherwise you can always pipe to 'sort -u'.
best ... khay |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Jun 14, 2018 10:39 am Post subject: |
|
|
| glacies wrote: | | That could be a good explanation Khayyam, it would be nice if you test, i lack the resources to test at the moment. |
glacies ... I've rebooted and the double entry still appears:
| Code: | # lastlog | grep tty
root tty1 Thu Jun 14 07:40:36 +0200 2018
khayyam tty1 Thu Jun 14 08:44:42 +0200 2018
root tty1 Thu Jun 14 07:40:36 +0200 2018
khayyam tty1 Thu Jun 14 08:44:42 +0200 2018 |
I'm fairly sure that what I said previously doesn't make any sense, I suspect something (perhaps pam) is writing the entry in /var/log/lastlog twice.
best ... khay |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Thu Jun 14, 2018 11:36 am Post subject: |
|
|
you actually have something else odd ; harder to catch but still odd
| LC_ALL=C man lastlog wrote: | The default (no flags) causes lastlog entries to be
printed, sorted by their order in /etc/passwd. |
So even you have the double entries, we should expect this result :
| Code: | # lastlog | grep tty
root tty1 Thu Jun 14 07:40:36 +0200 2018
root tty1 Thu Jun 14 07:40:36 +0200 2018
khayyam tty1 Thu Jun 14 08:44:42 +0200 2018
khayyam tty1 Thu Jun 14 08:44:42 +0200 2018 |
In your two cases, it kinda more looks like lastlog (the program) is run twice time, more than double entries. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Jun 14, 2018 12:06 pm Post subject: |
|
|
| krinn wrote: | | In your two cases, it kinda more looks like lastlog (the program) is run twice time, more than double entries. |
krinn ... ok, but it could be those are entries generated at the time when login is run ... so, via pam for example.
best ... khay |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Thu Jun 14, 2018 12:24 pm Post subject: |
|
|
I really have no idea of the why, it's really really odd still (and this is enough for me to also be in need of the why answer)
I could share any of my pam.d entries to help digging this.
Found this: my system-login is giving a "silent" option to pam_lastlog.so ?
| Code: | session optional pam_lastlog.so silent
|
| man pam_lastlog wrote: | silent
Don't inform the user about any previous login, just update the
/var/log/lastlog file.
|
|
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Jun 14, 2018 12:59 pm Post subject: |
|
|
krinn ...
I have the same:
| Code: | # grep lastlog /etc/pam.d/*login*
/etc/pam.d/login:session optional pam_lastlog.so
/etc/pam.d/system-login:session optional pam_lastlog.so silent |
best ... khay |
|
| Back to top |
|
|
glacies
n00b
Joined: 08 Jun 2018
Posts: 29
Location: Netherlands
|
| Posted: Thu Jun 14, 2018 8:38 pm Post subject: |
|
|
Hello khayyam and krinn,
Today I build 1 gentoo box with 17.1 profile.
GCC took 2 hours to compile, before on 17.0 40 minutes.
Not that it matters to the Double Lastlog.
I found out that after gcc and about 10 packages where installed, the double lastlog entries appeared
khayyam, I tryed your theory, that did not seem to work.
So I guess that this might be a bug? I did not login with root. Only user. No double entries.
Then login with root on tty2. And still only 1 entrie.
After I compile gcc and few other packages I see double entries in # lastlog
I also got the same in the shadow pam files.
Because the system got emerged up to date i think the double entries are new feature. And I think normal behaviour?
# Qcheck - shows the pam and shadow related files related are in o.k state.
The pc was offline at the moment of testing.
I try to edit shadow files and pam, but it does not seem to have any effect. Lastlog works o.k just I have to accept that there are double entries?
Maybe i should not touch the last login. I do have authenticator in /etc/pam.d/system-auth. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Fri Jun 15, 2018 12:39 pm Post subject: |
|
|
| glacies wrote: | | I found out that after gcc and about 10 packages where installed, the double lastlog entries appeared |
Ah, i always forget about this, but i'm lazy and conservative, so yeah, my packages are outdate certainly.
I'll be glad to try newer versions to see if the problem appears for me, just gave me the package and version you think i should try. |
|
| Back to top |
|
|
|
Portage & Programming
