blob: bada2ea0288a7f62a7906c095ea0b02acaa38a3b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="pam_lastlog">
<refmeta>
<refentrytitle>pam_lastlog</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_lastlog-name">
<refname>pam_lastlog</refname>
<refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="pam_lastlog-cmdsynopsis">
<command>pam_lastlog.so</command>
<arg choice="opt">
debug
</arg>
<arg choice="opt">
silent
</arg>
<arg choice="opt">
never
</arg>
<arg choice="opt">
nodate
</arg>
<arg choice="opt">
nohost
</arg>
<arg choice="opt">
noterm
</arg>
<arg choice="opt">
nowtmp
</arg>
<arg choice="opt">
noupdate
</arg>
<arg choice="opt">
showfailed
</arg>
<arg choice="opt">
inactive=<days>
</arg>
<arg choice="opt">
unlimited
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pam_lastlog-description">
<title>DESCRIPTION</title>
<para>
pam_lastlog is a PAM module to display a line of information
about the last login of the user. In addition, the module maintains
the <filename>/var/log/lastlog</filename> file.
</para>
<para>
Some applications may perform this function themselves. In such
cases, this module is not necessary.
</para>
<para>
The module checks <option>LASTLOG_UID_MAX</option> option in
<filename>/etc/login.defs</filename> and does not update or display
last login records for users with UID higher than its value.
If the option is not present or its value is invalid, no user ID
limit is applied.
</para>
<para>
If the module is called in the auth or account phase, the accounts that
were not used recently enough will be disallowed to log in. The
check is not performed for the root account so the root is never
locked out. It is also not performed for users with UID higher
than the <option>LASTLOG_UID_MAX</option> value.
</para>
</refsect1>
<refsect1 id="pam_lastlog-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>debug</option>
</term>
<listitem>
<para>
Print debug information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>silent</option>
</term>
<listitem>
<para>
Don't inform the user about any previous login,
just update the <filename>/var/log/lastlog</filename> file.
This option does not affect display of bad login attempts.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>never</option>
</term>
<listitem>
<para>
If the <filename>/var/log/lastlog</filename> file does
not contain any old entries for the user, indicate that
the user has never previously logged in with a welcome
message.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>nodate</option>
</term>
<listitem>
<para>
Don't display the date of the last login.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>noterm</option>
</term>
<listitem>
<para>
Don't display the terminal name on which the
last login was attempted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>nohost</option>
</term>
<listitem>
<para>
Don't indicate from which host the last login was
attempted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>nowtmp</option>
</term>
<listitem>
<para>
Don't update the wtmp entry.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>noupdate</option>
</term>
<listitem>
<para>
Don't update any file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>showfailed</option>
</term>
<listitem>
<para>
Display number of failed login attempts and the date of the
last failed attempt from btmp. The date is not displayed
when <option>nodate</option> is specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>inactive=<days></option>
</term>
<listitem>
<para>
This option is specific for the auth or account phase. It
specifies the number of days after the last login of the user
when the user will be locked out by the module. The default
value is 90.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>unlimited</option>
</term>
<listitem>
<para>
If the <emphasis>fsize</emphasis> limit is set, this option can be
used to override it, preventing failures on systems with large UID
values that lead lastlog to become a huge sparse file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_lastlog-types">
<title>MODULE TYPES PROVIDED</title>
<para>
The <option>auth</option> and <option>account</option> module type
allows one to lock out users who did not login recently enough.
The <option>session</option> module type is provided for displaying
the information about the last login and/or updating the lastlog and
wtmp files.
</para>
</refsect1>
<refsect1 id='pam_lastlog-return_values'>
<title>RETURN VALUES</title>
<para>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
Everything was successful.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SERVICE_ERR</term>
<listitem>
<para>
Internal service module error.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_USER_UNKNOWN</term>
<listitem>
<para>
User not known.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_AUTH_ERR</term>
<listitem>
<para>
User locked out in the auth or account phase due to
inactivity.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_IGNORE</term>
<listitem>
<para>
There was an error during reading the lastlog file
in the auth or account phase and thus inactivity
of the user cannot be determined.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id='pam_lastlog-examples'>
<title>EXAMPLES</title>
<para>
Add the following line to <filename>/etc/pam.d/login</filename> to
display the last login time of a user:
</para>
<programlisting>
session required pam_lastlog.so nowtmp
</programlisting>
<para>
To reject the user if he did not login during the previous 50 days
the following line can be used:
</para>
<programlisting>
auth required pam_lastlog.so inactive=50
</programlisting>
</refsect1>
<refsect1 id="pam_lastlog-files">
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/var/log/lastlog</filename></term>
<listitem>
<para>Lastlog logging file</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='pam_lastlog-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='pam_lastlog-author'>
<title>AUTHOR</title>
<para>
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
</para>
<para>
Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
</para>
</refsect1>
</refentry>
|