Double motd and last login

Published on October 28, 2008 at 11 am by Aleksandr Tsertkov

After upgrading openssh package to openssh-5.1_p1-r1 on our Gentoo system we started receive duplicated motd and last login messages on every ssh login. The reason for this is that new pam scripts for ssh comes with mod_lastlog and mod_motd enabled. First set of lastlogin and motd messages is displayed by pam system and second is displayed by ssh daemon itself because by default PrintMotd and PrintLastLog are enabled. To avoid duplicated lines on every ssh login you have to add following lines to /etc/sshd_config:

PrintMotd no
PrintLastLog no

or disable pam_lastlog and pam_motd in /etc/pam.d/system-login.

I would recomend the first method because pam scripts are more configurable.

Categories: linux/unix
Tags: , , , ,

8 Responses

  1. 1.
    Sascha W. commented on November 11th, 2008 at 8:25 pm

    Very useful.
    Thank You.

  2. 2.
    Ferran commented on November 12th, 2008 at 3:01 pm

    This issue was on my system after recovering /etc from a backup and re-emerging system packages and i was searching around like a fool; thank you!

  3. 3.
    ben K commented on November 15th, 2008 at 12:01 am

    Thanks too; this addresses the exact issue I was seeking by a google search for “gentoo ssh double login”!

    I’ve disabled the params in the ssh config as you suggest, and it suppresses the double motd. However, there are still double entries in the ‘last’ log (one for ‘ssh’, and one for the ‘pts/X’). The ‘ssh’ entries didn’t used to show up before the upgrade. How can I remove the redundant logging?

    ben

  4. 4.
    Alexandr Chertkov commented on November 15th, 2008 at 11:48 am

    It looks that ssh does not have any configuration option to disable lastlog logging. Though you can overwrite “session” pam.d rules for ssh in /etc/pam.d/sshd file, remove pam_lastlog.so and pam_motd.so lines and enable PrintMotd and PrintLastLog in /etc/sshd_config.

    For example in my case I got following pam.d/sshd:

    auth       include      system-remote-login
account    include      system-remote-login
password   include      system-remote-login
 
session    required     pam_env.so
session    include      system-auth
  5. 5.
    ben K commented on November 28th, 2008 at 2:12 am

    Thanks, this is what I’ve now done (more or less). I commented out the lastlog, motd and mail modules in /etc/pam/system-login (which is included from system-remote-login which is included from sshd).

    Maybe a more proper solution though would be to edit /etc/pam/sshd directly as you suggest, so as not to inadvertently cripple anything else using the system-login method…

  6. 6.
    Nolan Eakins commented on December 2nd, 2008 at 4:59 am

    Thanks for this. After reading this, I toggled a few settings to see what they did. Setting SSHD’s UsePAM option to “no” also fixed this issue for me along w/ the other possible fixes.

  7. 7.
    Alexandr Chertkov commented on December 2nd, 2008 at 11:49 am

    Thats a good point, Nolan!

  8. 8.
    ben K commented on December 3rd, 2008 at 4:05 am

    Nolan, thanks for pointing this out; it’s an even better (and simpler) solution. I’m surprised I didn’t read through the rest of sshd_config and pay attention to the UsePAM setting!

    Thanks.

Leave a Reply