PAM module to display date of last login and perform inactive account lock out
' pam_lastlog.so 'u pam_lastlog.so [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>]
pam_lastlog is a PAM module to display a line of information about the last login of the user . In addition, the module maintains the /var/log/lastlog file .
Some applications may perform this function themselves . In such cases, this module is not necessary .
If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in . The check is not performed for the root account so the root is never locked out .
debug Print debug information .
silent Don (Aqt inform the user about any previous login, just update the /var/log/lastlog file .
never If the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message .
nodate Don (Aqt display the date of the last login .
noterm Don (Aqt display the terminal name on which the last login was attempted .
nohost Don (Aqt indicate from which host the last login was attempted .
nowtmp Don (Aqt update the wtmp entry .
noupdate Don (Aqt update any file .
showfailed Display number of failed login attempts and the date of the last failed attempt from btmp . The date is not displayed when nodate is specified .
inactive=<days> This option is specific for the auth or account phase . It specifies the number of days after the last login of the user when the user will be locked out by the module . The default value is 90 .
The auth and account module type allows to lock out users which did not login recently enough . The session module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files .
PAM_SUCCESS Everything was successful .
PAM_SERVICE_ERR Internal service module error .
PAM_USER_UNKNOWN User not known .
PAM_AUTH_ERR User locked out in the auth or account phase due to inactivity .
PAM_IGNORE There was an error during reading the lastlog file in the auth or account phase and thus inactivity of the user cannot be determined .
Add the following line to /etc/pam .d/login to display the last login time of an user:.RS 4
session required pam_lastlog .so nowtmp
To reject the user if he did not login during the previous 50 days the following line can be used: .RS 4
auth required pam_lastlog .so inactive=50
/var/log/lastlog Lastlog logging file
pam.conf(5), pam.d(5), pam(8)
pam_lastlog was written by Andrew G . Morgan <morgan@kernel .org> .
Inactive account lock out added by Tomáš Mráz <tm@t8m .info> .