The call to get_last_login_time() in session.c happens in the child without being wrapped in the monitor. Only root gets the lastlog time printed if the lastlog file isn't world-readable.
Generate the message earlier in the login process and store for display after session startup? Rather than another variable for this (eg aixloginmsg, maybe __pam_msg), what about using a single Buffer for storing all of the messages to be displayed after login? I've started doing something like this (see http://www.zip.com.au/~dtucker/openssh/openssh-passexpire9.patch) and a (as yet unpublished) update to this makes things neater (eg the patch removes 3 #ifdefs).
hm, yes, this would make sense. something like Buffer loginmsg;
AIX has a related problem with loginsuccess(), which generates the equivalent of the LastLogin message. At the moment it's only called for password authentication, so public-key logins don't get the messages or have the /etc/security/lastlog file updated. The patch I'm about to attach to bug #14 fixes this for AIX and PrintLastLog along with fixing #14, however if someone wants to merge this separately I'll split it.
Created attachment 235 [details] Generate login message as part of login recording. This patch moves the generation of the generic last login message to sshlogin.c, the AIX loginsuccess call to loginrec.c and provides a monitor call to get the login message. (The AIX problem was that loginsuccess did not get called for non-password auth). The reason the monitor call is necessary is that on AIX, the last login message is generated as a side-effect of calling loginsuccess(). This needs root privs (as it does some logging too). Now if you have a postponed authentication, you can't safely call loginsuccess() before the post-auth privsep split (since the postponed authentication may not actually succeed). Hence, the only guaranteed safe place to call it is from the post-auth monitor, and therefore a monitor call is necessary to retrieve the login message). As a minor bonus (?) this also allows correct recording of ptys in the AIX login info.
I've had a look at the OpenBSD source and I don't think OpenBSD *needs* a "Buffer loginmsg" right now. PrintLastLog can be easily fixed by updating s->last_login_time before the privsep split. So, is there another reason OpenBSD needs (or wants) a "Buffer loginmsg"? Or should it be -portable only? Have I overlooked something? And what's the feeling on the montitor call in attachment #235 [details]?
Yes, the privsep split occurs post-auth, not once per session. Remember that a SSH2 connection may have multiple sessions (the ssh.com windows client allows this). If you collect the last login time at the time of the privsep split, then that would be displayed for all sessions.
OK, so if I understand correctly, the only guaranteed way to get the last login time is via a monitor call, so I hopefully won't get accused of bloat for proposing one...
Certainly not!
Created attachment 287 [details] Generate loginmsg as part of login recording (against OpenBSD -current) OK, here's the proposed patch against OpenBSD. The call to store_lastlog_message is where it is in record_login because under AIX the login message is generated as a side effect of loginsuccess(). The location under OpenBSD is not critical since it's a read-only operation.
Hmm, this will probably give multiple "Last login" messages if used with multiple sessions (none of my clients support it so I'm not sure about that). With my current plan for password expiry, loginmsg needs to be initialised before allowed_user() where it accumulates all of the "Your password/account will expire.." messages. Might need to clear the message after retrieving/printing it.
Created attachment 288 [details] Generate loginmsg as part of login recording (against OpenBSD -current, take 2) Simpler patch, removes many of the Buffer->string->Buffer contortions. Works with multiple sessions (ie most recent login time is displayed each time).
I have committed a similar patch which reports the error() on failure to create the pidfile, but not the "sshd -t" tests. There are just too many ways for an admin to break a system to test for them all. Besides, pidfile creation failure is non-fatal.
gah! I am a moron, sending changes to the wrong bug...
Created attachment 676 [details] Simpler OpenBSD patch based on feedback from Markus
Created attachment 677 [details] Patch 676 against Portable, plus AIX loginsuccess() support.
This has now been fixed (both in OpenBSD and Portable) with a variant of #676. The AIX-specific parts of 677 aren't in yet, I'll commit that as soon as it's tested OK.
PrintLastLog does not seem to work yet. openssh.base.server 4.1.0.5301 COMMITTED Open Secure Shell Server It is an AIX 5.3 # oslevel -r 5300-01 Are AIX specific parts are in yet?
(In reply to comment #17) > PrintLastLog does not seem to work yet. > > openssh.base.server 4.1.0.5301 COMMITTED Open Secure Shell > Server That looks like the IBM package on sourceforge. I don't really know what's in that so if you're having trouble with it you'll need to ask them. If you compile it from the source from openssh.com does it still misbehave? > Are AIX specific parts are in yet? Yes, and have been for some time. On AIX, the system library call loginsuccess() generates the "last logged in at" message not sshd, so PrintLastLog yes/no won't have any effect but as long as the library calls work then you should see the messages. $ ssh aixbox Last unsuccessful login: Fri Sep 29 17:07:04 EET 2006 on ssh from [...] Last login: Sat Oct 28 00:27:06 EET 2006 on /dev/pts/1 from [...] $ oslevel 5.1.0.0 $ ssh -V OpenSSH_4.4p1, OpenSSL 0.9.7l 28 Sep 2006
Since this has been resolved for quite some time and seems to be against a third-party binary I'm re-closing this bug. If you experience problems with the current version of the code from openssh.com on AIX then please open a new bug for it and we'll do what we can to help you.