18

I would like to edit the Last login: information that is printed out along with the message of the day, yet I can't find the script which generates and echoes out.

Where is it defined, in an easy-to-edit shell script, or closed off in a binary?

Note, this is different from ServerFault: How can I edit the welcome message when ssh start?. The "last login" information is not printed out from inside /etc/update-motd.d/, but is instead defined by setting the PrintLastLog flag, and can therefore not be edited like the other parts of the message of the day.

Community
  • 1
IQAndreas
  • 1,480
  • 2
  • 19
  • 39
  • This information is saved in `utmp` and `wtmp` files (depending on distribution, check in `/var/run/utmp` or `/var/log/utmp` or look in `/var` directory). These files are not saved as text, but as binary, so you will need special tools to edit them. The utmp file keeps track of the current login state of each user. The wtmp file records all logins and logouts history. You will need special tools to edit them, but I could not find anything really. – phoops May 23 '14 at 10:00

4 Answers4

16

Looks like the format of the printed line is compiled into sshd:

[me@risby ~]$ ssh lory
Last login: Fri May 23 10:59:01 2014 from 2a01:2c0:e:300:7271:bcff:feac:445a
[me@lory ~]$ strings /usr/sbin/sshd | grep -i "last login"
Last login: %s
Last login: %s from %s

I can't see any config option for changing that either, so you will need to edit the source and recompile.

Edit: In the limiting case, you can find source at http://www.openssh.org. But you don't tell us that you're using OpenSSH, or anything about your platform, so it's hard to be more specific. If it's a Linux system, you would do much better to get the source appropriate to your distro in the usual way, and recompile through your distro-specific mechanisms.

But really, you shouldn't do this at all unless you have an extremely-compelling business reason to do so: you're making a maintenance nightmare for yourself, going to a hand-compiled version of a security-sensitive package.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Where can the source code behind `sshd` be found? – IQAndreas May 23 '14 at 10:08
  • 1
    Actually, I was planning something else with the source. I wanted to see how they parse the data from `wtmp`, set the `PrintLastLog` flag to `no`, and re-create the "last login" notice with my own script in placed in `update-motd.d`. Much more maintenance friendly. :) – IQAndreas May 23 '14 at 10:17
  • 1
    I am frequently seeing `motd` output not being completely up to date. So I am thinking `update-motd` might not be run on every login. – kasperd May 23 '14 at 10:20
  • @kasperd It updates every 10 minutes as a cron job. This is to help in case it tries to do something "slow" like retrieve a string from the internet, so it doesn't make the server slow down every time someone logs in. – IQAndreas May 23 '14 at 11:24
  • 3
    The "last login" message is user specific, while the *motd* is system-wide. I'm not sure how you want to recreate the message. Also, there are people who actually read this message, and want it to be as accurate as possible. – Simon Richter May 23 '14 at 14:47
6

The last login information is stored in /var/log/wtmp or /var/log/utmp they are binary files. Without looking at the source code for sshd I can't be entirely sure but I would expect that it is retrieving the information from those files using suitable system calls

It seems unlikely you'll find a way to easily change this information it is after all part of the users security.

If you really want the gory details then you need to look at the source code for the function login_get_lastlog which can be found in loginrec.c

user9517
  • 114,104
  • 20
  • 206
  • 289
  • @lain +1 because of the source code suggestion - although I don't think it were a gory solution, all he needs is a local git mirror. Imho using the source isn't from the devil even for the sysadms. – peterh May 23 '14 at 15:14
3

Another solution would be to clear the screen at the beginning of the motd file like so:

^[[H^[[2J
whatever was originally in the motd file here

Note: replace ^[ with the escape symbol (which you can create in the nano editor by pressing the following keys: esc+v+esc)

user514464
  • 31
  • 2
-2

Perhaps some work around in case you just want to change last login IP?

For example, you can change the shown IP address to "localhost" by logging in to ssh again from remote controlled machine!

Remote login via ssh >> ssh username@localhost

Now the last IP recorded will be localhost

caffeine
  • 113
  • 5