0

I am using pamela with JupyterHub to open PAM sessions for my users. I am on CentOS 8 and I am using the login service. I can see in /var/log/secure

pam_unix(login:session): session opened for user testuser by (uid=0)

and in /var/log/messages

systemd[1]: Started Session 8341 of user testuser

Furthermore there are no erros logged in /var/log/{messages|secure|audit/audit.log}. But with a new user succesfull logged in to JupyterHub, the lastlog command still says that this user has never logged in. So I think I miss some requirements for pam_lastlog in order to write information to /var/log/lastlog. pam_open_session is called in a subprocess with root privileges. Maybe this subprocess needs to be tied to a pts or tty in order to write useful information to /var/log/lastlog? This is the /etc/pamd.d/login file:

#%PAM-1.0
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

this is in /etc/pamd.d/postlogin

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.

session optional                   pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1]                pam_lastlog.so nowtmp showfailed
session optional                   pam_lastlog.so silent noupdate showfailed

and this is in /etc/pamd.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

2 Answers 2

0

You /etc/pam.d/postlogin file contains the nowtmp directive on this line:

session [default=1] pam_lastlog.so nowtmp showfailed

From $ man pam_lastlog:

       nowtmp
           Don't update the wtmp entry.

The last command uses the /var/log/wtmp file while the lastlog command uses the /var/log/lastlog file.

lastlog is usually much smaller than the wtmp file as it only records the very last login for each user. wtmp records a history of all the login time and dates for a user.

There doesn't seem to be a directive in pam_lastlog.so manual page which can switch off logging to the lastlog so this should by all accounts be working. Note, there is a directive to with the nowtmp directive.

You can however, switch off historical logins written to wtmp so perhaps try removing just the nowtmp directive and see that makes a difference.

0

For the login service, it is the postlogin line with silent, noupdate & showfailed that is used. noupdate apparently means that pam_lastlog should not update any file. So this line does not allow pam_lastlog to update lastlog.

It does still seem to record failed logins somewhere, but not successful ones. This results in the failed login count only being reset when a successful login happens using the gdm* or su* services.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.