pam_lastlog

In PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd):

auth       optional     pam_lastlog.so [options]
session    optional     pam_lastlog.so [options]

Note: pam_lastlog is a PAM module, not a direct shell command.

debug
    Enables debug messages to be written to syslog.

nodate
    Suppresses the display of the last login date.

nohost
    Suppresses the display of the last login hostname.

notty
    Suppresses the display of the last login terminal (TTY).

never
    Causes 'Never logged in' to be printed if the user has no previous login record.

silent
    Suppresses all output related to the last login information. The module will still update the record if configured to do so.

update
    Forces the update of the lastlog record for the user, even if the module is in an 'auth' stack that might otherwise skip updates.

noupdate
    Prevents the module from updating the lastlog record. It will still display information if not 'silent'.

lastlog=/path/to/lastlog
    Specifies an alternative path for the lastlog file instead of the default /var/log/lastlog.

lastlog_dir=/path/to/dir
    Specifies an alternative directory where the lastlog file can be created if it's a sparse file. Less commonly used.

unlimited
    Do not truncate the displayed last login string to the screen width.

nouser
    Do not print 'Unknown user' for users who do not exist in the system's password database.

delay=SECONDS
    Introduces a delay (in seconds) before displaying the last login information. Useful in scenarios like telnet to ensure the client has time to receive data.

The pam_lastlog module is a Pluggable Authentication Module (PAM) responsible for recording and optionally displaying the last login time, date, host, and terminal for a user. It primarily interacts with the /var/log/lastlog file, which stores this information efficiently using a sparse file format.

Upon a successful user authentication, pam_lastlog updates the user's entry in the lastlog file. During the session setup phase, it can be configured to display this last login information to the user. This module is an essential component for system security and auditing, providing administrators and users with a record of login activity.

It's crucial to understand that pam_lastlog is not a standalone command executed directly from the shell like ls or grep. Instead, it is a shared library module (pam_lastlog.so) that is invoked by PAM-aware applications (e.g., login, sshd) based on configurations in files located in /etc/pam.d/. Its behavior is controlled by options specified alongside the module name in these PAM configuration files.

pam_lastlog relies on the /var/log/lastlog file being writable by the process performing the login. If the file is inaccessible or permissions are incorrect, the last login record may not be updated, or information may not be displayed correctly. Since it's a PAM module, its behavior is entirely dependent on its placement and options within the system's PAM configuration files. Improper configuration can lead to unexpected behavior or security issues.

pam_lastlog is typically configured in the session and sometimes the auth stack of PAM-aware services. For instance, in /etc/pam.d/login or /etc/pam.d/sshd, you might find lines like:

session    optional     pam_lastlog.so
auth       optional     pam_lastlog.so update

The session entry is generally responsible for displaying the last login information, while the auth entry (often with the update option) ensures the lastlog file is updated upon successful authentication.

The /var/log/lastlog file is a critical binary file that stores records for each user ID. It's a 'sparse file,' meaning it only consumes disk space for user IDs that have actually logged in, making it efficient for systems with a large range of possible UIDs but few actual users. Each entry typically contains the login time, terminal, and host. You can view its contents indirectly using commands like last or lastlog (utility).

pam_lastlog is a core component of the Linux-PAM (Pluggable Authentication Modules) project, which was developed to provide a flexible and standardized authentication framework for Linux systems. It emerged as a replacement for older, monolithic authentication systems, allowing system administrators to easily configure authentication mechanisms without recompiling applications. pam_lastlog has been a standard module for tracking user login activity since the early days of PAM, contributing to system auditing and user awareness of their login history.

last(1), w(1), who(1), lastb(1), faillog(8), pam(8), pam.conf(5), login(1), sshd(8)