X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Last login tracking in pam_unix_session

Alan Coopersmith
Senior Principal Software Engineer

screenshot of last login dialog in gdmWhen you first login to a desktop session on Solaris 11.3, you may notice a new notification dialog box informing you of your last login time and location, which may help you notice if an unauthorized login has occurred. This is a good security practice and commonly required by various security policies.

Previously different applications handled this display in different ways (or didn't show the info at all) - in Solaris 11.3, it's been centralized into a common implementation in PAM so that all login methods should display it uniformly.

The time & location of a user’s login has long been recorded into the/var/log/lastlog file by pam_unix_session on Solaris. Other parts of the PAM stack reference this for inactive account tracking. In prior Solaris releases, /bin/login and ssh would read the file and then print a message such as:

      Last login: Wed Sep 17 15:24:05 2014 from gojira

Instead of copying that code into every application processing logins, the PAM team decided to remove the existing calls and instead have pam_unix_session print that message instead, via the PAM conversation routines that all conforming PAM applications should be using.  Applications that don't want to show this can pass the PAM_SILENT flag to pam_open_session(3PAM).

If sysadmins want to silence the notices, they can do so via the PAM configuration files for the application in question. For instance, if you don’t want that popup when you login to the desktop via the GDM display manager, you simply need to create /etc/pam.d/gdm (or update it if you already have one) to include the line:

      session required        pam_unix_session.so.1    nowarn

The pam_unix_session(5) man page has been updated to describe this change as well.

Join the discussion

Comments ( 1 )
  • Carlos Azevedo Wednesday, March 16, 2016

    Thanks, that's nice.

    It's good to have that re-engineering under the hood.

    And it's good to know how to tweak the defaults :-)


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha