Re: /etc/security/lastlog not updated
From: Darren Tucker (dtucker_at_zip.com.au)
Date: Sat, 15 Nov 2003 08:53:44 +1100 To: firstname.lastname@example.org
> Security auditing has led us to find that on older AIX systems, accessing
> the system via ssh does NOT result in /etc/security/lastlog being updated.
> We have about 40 systems where this is a problem; a typical one has levels:
> iswhbfocd# oslevel
> iswhbfocd# ssh -V
> OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
> Can anyone point me to where/how I can enable logging to
Before I go into detail, I'd just mention that AIX 4.2.1 has been out of
support for several years, and I'm surprised your auditors didn't ding you
for that first.
OK, make sure that OpenSSH's configure found authenticate(), which sets
WITH_AIXAUTHENTICATE in config.h. On AIX 4.2.1, authenticate is in
libs.a, so you may have to add "-ls" to LDFLAGS (although configure should
do this automatically).
Make sure WITH_AIXAUTHENTICATE is set in config.h. Most of the
AIX-specific login code is inside "#ifdef WITH_AIXAUTHENTICATE", so if
it's not set, things like loginsuccess() which record the last login time,
won't be called.
The other thing you may find is that loginsuccess is only called for
password authentication. This is a bug, however it's not trivial to fix.
This is because for, eg, public-key authentication, loginsuccess must be
called by the privileged monitor and there's no easy way to get the output
back to where it can be shown to the user.
If this is the case you can try one of my password expiry patches .
Among other things, it moves the loginsuccess call to the privileged
monitor and provides a monitor call to retrieve the results, so should
correctly record logins on AIX for every authentication type. (If it
doesn't, I'd like to know about it so I can fix it).
> In later systems I can see a stanza in sshd.config:
> PrintLastLog yes
> # Specifies whether sshd should print the date and time when the
> # user last logged in. The default is ``yes''.
> Is this relevant?
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.