PAM module to display date of last login and perform inactive account lock out


' 'u [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>]


pam_lastlog is a PAM module to display a line of information about the last login of the user . In addition, the module maintains the /var/log/lastlog file .

Some applications may perform this function themselves . In such cases, this module is not necessary .

If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in . The check is not performed for the root account so the root is never locked out .


debug Print debug information .

silent Don (Aqt inform the user about any previous login, just update the /var/log/lastlog file .

never If the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message .

nodate Don (Aqt display the date of the last login .

noterm Don (Aqt display the terminal name on which the last login was attempted .

nohost Don (Aqt indicate from which host the last login was attempted .

nowtmp Don (Aqt update the wtmp entry .

noupdate Don (Aqt update any file .

showfailed Display number of failed login attempts and the date of the last failed attempt from btmp . The date is not displayed when nodate is specified .

inactive=<days> This option is specific for the auth or account phase . It specifies the number of days after the last login of the user when the user will be locked out by the module . The default value is 90 .


The auth and account module type allows to lock out users which did not login recently enough . The session module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files .


PAM_SUCCESS Everything was successful .

PAM_SERVICE_ERR Internal service module error .

PAM_USER_UNKNOWN User not known .

PAM_AUTH_ERR User locked out in the auth or account phase due to inactivity .

PAM_IGNORE There was an error during reading the lastlog file in the auth or account phase and thus inactivity of the user cannot be determined .


Add the following line to /etc/pam .d/login to display the last login time of an user:

.RS 4
session required pam_lastlog .so nowtmp

To reject the user if he did not login during the previous 50 days the following line can be used:
.RS 4
auth required pam_lastlog .so inactive=50


/var/log/lastlog Lastlog logging file


pam.conf(5), pam.d(5), pam(8)


pam_lastlog was written by Andrew G . Morgan <morgan@kernel .org> .

Inactive account lock out added by Tomáš Mráz <tm@t8m .info> .

Copied to clipboard
free 100$ digital ocean credit