HPE Community
Operating System - HP-UX
1830657 Members
28096 Online
110015 Solutions
New Discussion

Re: OpenSSH and last commands

 
Jdamian
Respected Contributor

‎12-05-2002 12:02 AM

‎12-05-2002 12:02 AM

OpenSSH and last commands

How to configure sshd in order that last and lastb commands show connections made ?

No connection made through ssh is reported by last and lastb commands. Entries in syslog.log only show loginame, IP:port and protocol. Info about tty and exit timestamp aren't reported.
0 Kudos
Reply
11 REPLIES 11
Stefan Farrelly
Honored Contributor

‎12-05-2002 12:13 AM

‎12-05-2002 12:13 AM

Re: OpenSSH and last commands


It does do so on my servers running HP's version of SSH (T1471AA). As long as you login from a tty then it records to last and lastb entries perfectly fine.

If you are using Openssh then I suggest you install HP's version (download from software.hp.com) as obviously HP have integrated it far better to work with other commands such as last/lastb.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-05-2002 01:14 AM

‎12-05-2002 01:14 AM

Re: OpenSSH and last commands

I'm using HP OpenSSH (T1471AA)
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎12-05-2002 01:25 AM

‎12-05-2002 01:25 AM

Re: OpenSSH and last commands


Are you logging in from a tty ? see manpage for sshd - you must login from a tty in order for last/lastb to record it.

ie. after ssh'ing in do a tty command and it shuold show a /dev/pts or /dev/tty entry.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-05-2002 01:34 AM

‎12-05-2002 01:34 AM

Re: OpenSSH and last commands

Of course I'm logging in from a tty.
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎12-05-2002 02:05 AM

‎12-05-2002 02:05 AM

Re: OpenSSH and last commands

then all i can suggest is your /var/adm/wtmp and /var/adm/btmp files are corrupt if theyre not recording ssh logins as my servers record them fine. Try removing them.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-05-2002 07:59 AM

‎12-05-2002 07:59 AM

Re: OpenSSH and last commands

Please, If those files be corrupt, last command would dump a core.

I think it must be a bug of Reflection X Openssh client.
0 Kudos
Reply
Kellogg Unix Team
Trusted Contributor

‎12-05-2002 09:09 AM

‎12-05-2002 09:09 AM

Re: OpenSSH and last commands

Damian,

Do you also have telnet enabled on this box? If yes, then does telnet entries show up in 'last' command?

I haven't used Reflection X ssh client but have used - HP's OpenSSH, windows client for ssh2, and putty and all connections are duly logged in. I would also think that this is a feature of server side; client 'shouldn't' be able to dictate if connection attempts are logged or not.

If I get hold of Relection X client, I will test it out and let you know.

...Manjeet
work is fun ! (my manager is standing behind me!!)
0 Kudos
Reply
Steve Post
Trusted Contributor

‎12-06-2002 07:26 AM

‎12-06-2002 07:26 AM

Re: OpenSSH and last commands

I don't know. I would like to know it too.
The only thing I can suggest is to drop some piece of code into /etc/profile.

who am i -u >> /bigdisk/biglog.txt
date >> /bigdisk/biglog.txt

But this is kinda lame. You already have /var/adm/syslog/syslog.log. And my method does not tell you how long the person is in. Just when and where they came in.

You would also have to worry about the size of biglog.txt.

steve
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-09-2002 01:26 AM

‎12-09-2002 01:26 AM

Re: OpenSSH and last commands

I may use "telnet" protocol or "OpenSSH" protocol from Reflection X box.
The command launched from Rx box is:

(/usr/bin/X11/hpterm -bg DarkSeaGreen4 -fg White -fn 7x14 -sb -sl 5s -ls -display %IP#% &)

It's the same when 'telnet' protocol is used as well as 'OpenSSH' protocol is used.

'who' and 'tty' command show '/dev/ttyp1' while 'last' command shows 'pts/ta'.

$ tty
/dev/ttyp1
$ who am i
user ttyp1 9 Dic 10:11
$ last -2 user
user pts/tb Mon Dec 9 10:11 - 10:11 (00:00)
user ftp Thu Nov 28 12:50 - 12:50 (00:00)

Note 'last' commands show my connection as closed because no 'still logged in' string appears. Then I think now this problem is not due to OpenSSH

I realized that 'telnet' protocol as well as 'OpenSSH' protocol shows wrong ttys when xterm or hpterm is used from ReflectionX.

If I get a connection from non-Reflection X box, as SecureCRT, this problem doesn't exist:

$ tty
/dev/pts/0
$ who am i
user pts/0 Dec 9 10:20
$ last -2 user
user pts/0 Mon Dec 9 10:20 still logged in
user pts/ta Mon Dec 9 10:05 - 10:05 (00:00)
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-09-2002 08:08 AM

‎12-09-2002 08:08 AM

Re: OpenSSH and last commands

I found out this issue...
The 'last' command works fine. When a session from Reflection X is opened, a telnet connection is established. Then a 'command' is run. This command used to be a Xclient as 'xterm' or 'hpterm'.

The tty name for telnet connection is logged in wtmp file (for instance pts/0).

xterm or hpterm needs a tty device to run because a shell is started. Then a second tty dev is used for the xclient and this is displayed by 'who' command (for instance ttyp1)

After launching xclient, the
initial tty is released because the original telnet session is closed (yes, it's closed. 'telnetd' daemon is killed, but its child process (xclient) keeps running on. It doesn't need the initial tty nor the telnet connection because the X clients send and recive data through upper TCP ports). Thus 'last' command reports the initial connection is closed and 'who' commands reports activity in xclient tty device (ttyp1).

This discusses a behaviour noticed sometimes: 'who' command reported the same login connected in two tty devices but just for a few seconds. After a while, one of those lines reported by 'who' disappeared (that whose tty was pts/ta) and remained that line whose tty belongs to xclient (ttyp1).

Thanx for your help anyway.

.... the end ....
0 Kudos
Reply
Kellogg Unix Team
Trusted Contributor

‎12-09-2002 09:54 AM

‎12-09-2002 09:54 AM

Re: OpenSSH and last commands

Damian,

Great find! I managed to get Reflection X (older version v8.00 w/o ssh capability), and as soon as I would telnet (with xterm), I was able to see my telnet session with "last -2" command showing "still logged in". But after some time, if I would run "last -2" again, the connection seemed to be close (whereas I am still logged in!). Your explaination helped!

Thanks for sharing!
...Manjeet
work is fun ! (my manager is standing behind me!!)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.