ssh, "Last Login", `last` and OS X
Solution 1
The man pages on my 10.6 machine point me in the direction of asl(3), utmpx(5), and endutxent(3). It seems modern Mac OS X records utmp/wtmp/lastlog-like information in the Apple SysLog (asl) database files at /var/log/asl/*.
It seems the long hostnames that bother you were recorded in that database back when that was what those hosts were named, and you can't get rid of them short of pruning or editing your asl database.
Solution 2
from man sshd_config:
PrintLastLog
Specifies whether sshd(8) should print the date and time of the
last user login when a user logs in interactively. The default
is ``yes''.
So that at least explains why you're seeing the message.
regarding the hostname resolution - it will use the system resolver library, which may return different results than dig. In particular, if you have an entry in your local (ie, local to the remote machine) /etc/hosts file, that will (probably, depending on how the resolver is configured) be checked first. If the remote machine is using a local (to it) nameserver that servers a different result than the public result (eg, your ISP serves one set of PTR records internally and another set externally) this could also explain the disparity.
Related videos on Youtube
17 : 23
12 : 00
03 : 46
09 : 09
21 : 53
user17245
Updated on September 17, 2022Comments
-
user17245 almost 2 years
I have hit the googles as much as I can on this, being specific to OS X, I am not finding an answer. Nothing is wrong, but curiosity levels are high.
$ssh [email protected] Password: Last login: Wed Apr 7 21:28:03 2010 from my-laptop.local ^lonely tylenol^- Line 1 is my command
- line 2 is the shell asking for the password
- line 3 is where my question comes from
- line 4 comes out of /etc/motd
I can find nothing in ~/ of an of the .bash* files that contains the string "Last Login", and would like to alter it. It performs some type of hostname lookup, which I can not determine.
If I ssh to another host:
$ssh [email protected] Last login: Wed Apr 7 21:14:51 2010 from 123-234-321-123-some.cal.isp.net.example hi there, you are on box 456- line 1 is my command
- line 2 is again, where my question comes from
- line 3 is from /etc/motd
*The dash'd IP address is not reversed
On this remote host, I have ~/.ssh and it's corresponding keys set up, so there was no password request
Where is the "Last Login:" coming from, where does the date stamp come from, and most importantly, where does the hostname come from?
While on [email protected] (box 456) $echo
hostnameremote.location.example456.comOr with dig, to make sure I have rDNS/PTR set up, for which I am not authoritative, but my ISP has correctly set...
$dig -x 123.234.321.123 PTR remote.location.example456.comor
$dig PTR 123.321.234.123.in-addr.arpa. +short remote.location.example456.com.my previous
hostnameused to be 123-234-321-123-some.cal.isp.net.example, which I set withhostname -s remote.location.example456.com, because it was obnoxious to see such a long name. That solves the value of $echohostnamewhich now returns remote.location.example456.com.Mac OS X, 10.6 is this case, does seem to honor:
touch ~/.hushloginIf leave that file empty, I get nothing on the shell when I login. I want to know what controls the host resolution of the IP, and how it is all working. For example, running
lastreports a huge list of my logins, which have obtusely long hostnames, when they would be preferable to just be remote.location.example456.com.More confusing to me, reading the man page for
wtmpandlastlog, it looks like lastlog is not used on OS X, /var/log/lastlog does not exist. Actually, none of these exist on 10.5 or 10.6:/var/run/utmp The utmp file. /var/log/wtmp The wtmp file. /var/log/lastlog The lastlog file.If I am to assume that the system is doing some kind of reverse lookup, I certainly do not know what it is, as it is not an accurate one.
-
user17245 about 14 yearsAhh, this is very good, I am happy to wipe the asl database, and you are right, at one time, I did not have PTR's set, so they got into the ASL db, and are not "stuck" that way. Thanks. This sucks, because you and the other guys are both right on in your answers, which one do I check off?
-
user17245 about 14 yearsI checked off the other answer as correct, as it tell me how to fix the hostname, but you also tell me how to change the LastLog bits, so I wanted to check you off. It ended up being a matter of what was most important to me to solve. Thank you, your answer was spot on as well.