Re: /etc/security/lastlog not updated

From: Darren Tucker (
Date: 11/14/03

  • Next message: Byron Sonne: "Re: what do I do?"
    Date: Sat, 15 Nov 2003 08:53:44 +1100
    > Security auditing has led us to find that on older AIX systems, accessing
    > the system via ssh does NOT result in /etc/security/lastlog being updated.
    > We have about 40 systems where this is a problem; a typical one has levels:
    > iswhbfocd# oslevel
    > iswhbfocd# ssh -V
    > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
    > *
    > Can anyone point me to where/how I can enable logging to
    > lastlog?

    Before I go into detail, I'd just mention that AIX 4.2.1 has been out of
    support for several years, and I'm surprised your auditors didn't ding you
    for that first.

    OK, make sure that OpenSSH's configure found authenticate(), which sets
    WITH_AIXAUTHENTICATE in config.h. On AIX 4.2.1, authenticate is in
    libs.a, so you may have to add "-ls" to LDFLAGS (although configure should
    do this automatically).

    Make sure WITH_AIXAUTHENTICATE is set in config.h. Most of the
    AIX-specific login code is inside "#ifdef WITH_AIXAUTHENTICATE", so if
    it's not set, things like loginsuccess() which record the last login time,
    won't be called.

    The other thing you may find is that loginsuccess is only called for
    password authentication. This is a bug, however it's not trivial to fix.
    This is because for, eg, public-key authentication, loginsuccess must be
    called by the privileged monitor and there's no easy way to get the output
    back to where it can be shown to the user.

    If this is the case you can try one of my password expiry patches [1].
    Among other things, it moves the loginsuccess call to the privileged
    monitor and provides a monitor call to retrieve the results, so should
    correctly record logins on AIX for every authentication type. (If it
    doesn't, I'd like to know about it so I can fix it).

    > In later systems I can see a stanza in sshd.config:
    > PrintLastLog yes
    > # Specifies whether sshd should print the date and time when the
    > # user last logged in. The default is ``yes''.
    > *
    > Is this relevant?



    Darren Tucker (dtucker at
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
        Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  • Next message: Byron Sonne: "Re: what do I do?"

    Relevant Pages

    • Re: AIX LDAP Client
      ... I think this is available with the AIX 5.2B realase, ... Use the config.krb5 command to configure an AIX Kerberos client. ... Windows 2000 Active Directory server is chosen as the Kerberos server, ... such that login process will know to use Kerberos authentication, ...
    • HOWTO: Authenticate against Active Directory
      ... AIX users against Active Directory. ... The assumption is that you're not familiar with Kerberos and/or the ... How to authenticate AIX users against Active Directory ... Authentication won't work if the clocks ...
    • Re: AIX authentication with Active Directory
      ... > Yes it is possible to authenticate AIX against AD. ... > you can use the KRB5A authentication module, ... What you can do in this situation is use LDAP as the ...
    • Re: AIX authentication with Active Directory
      ... Yes it is possible to authenticate AIX against AD. ... you can use the KRB5A authentication module, ... KRB5A auth module. ...
    • SecureWay Directory on AIX 5.2
      ... 5.1), a few SUN Solaris, and a few Linux servers. ... comfortable with AIX, so I would prefer to keep it there. ... schemas, and IBM recommends using the RFC2307AIX schema (which is both ... login authentication and user maintenance. ...