# 2 last login messages on ssh connection

## alex.blackbit

hi,

i get this

```
$ ssh wall

Last login: Wed Jul 30 21:57:30 CEST 2008 from seaburg on pts/2

Last login: Wed Jul 30 21:58:09 2008 from seaburg

%
```

i already re-emerged openssh and did a revdep-rebuild. the sshd-config is sane.

who knows what's wrong?

----------

## think4urs11

check /etc/motd

check Banner setting in /etc/ssh/sshd_config

the first one should come from PrintLastLog yes in /etc/ssh/sshd_config

----------

## alex.blackbit

/etc/motd did not exist. for testing i just echoed "foo" in it.

PrintLastLog in sshd_config was commented out, i commented it in and set it to no.

here is the result:

```
$ ssh wall

Last login: Thu Jul 31 00:04:31 CEST 2008 from seaburg on pts/2

foo

Last login: Thu Jul 31 00:04:47 2008 from seaburg

foo

%
```

----------

## TwoMinds

Hi. I have the same problem here: twice motd and last login.

----------

## alex.blackbit

Think4UrS11, PrintLastLog seems to have a default value of yes. it was commented out in my config file. i commented it in and set it to no. now 1 last login message appears.

is this from pam? or is this one too from ssh and it gets something wrong?

i find it interesting that one time the timezone and tty are printed, and one time not, if both outputs appear.

----------

## theholymac

After switching my dev/test box over to ~x86, this issue occurred.  When ssh'ing in, the motd and last login were displayed twice.  

Setting both "PrintMotd" and "PrintLastLog" to "no" fixed this.  Either MOTD behavior changed, sshd behavior changed, or these options used to be set to "no" as default.  I'm not certain what is the case, but the issue it created was merely annoying and the fix was easy.

----------

## nutbar

I just updated my system and noticed this as well.  I checked up on changes to openssh and it doesn't appear that they have changed the default PrintLastLog to cause this (so it was always defaulted to yes).  I peeked at the ChangeLog from the openssh ebuild and it seems that at around openssh 5.0, they switched to using "pambase" or whatever, and I did notice a call to pam_lastlog.so in an included pam.d config file.

So one line is coming from SSH, the other is from PAM.  The first lastlog line you see is from PAM, and the 2nd one is from SSH (the one without the timezone).  My personal fix was editing /etc/ssh/sshd_config and setting PrintLastLog to no (esp since PAM provides more detail - and the time entry is correct, whereas I noticed SSH was off by 2 hours with me using UTC).

----------

## mindful

After editing /etc/ssh/ssd_config to include 'PrintLastLog no' I had to restart sshd with >>> '/etc/init.d/sshd zap && kill $(pgrep -f /usr/sbin/sshd) && rc'.

Doing a '/etc/init.d/sshd restart' killed my sshd and didn't restart it on one of my servers. The above forgoes that nonsense.

----------

## thumper

And now the last command shows two logins as well as two motd's and last logins, one for pts/0 and one for ssh and seems to have started after upgrading to net-misc/openssh-5.1_p1-r1

George

----------

## rev138

This occurred for me after uninstalling ss and com_err in order to upgrade e2fsprogs. I have no idea if there's a connection.

----------

## thumper

 *rev138 wrote:*   

> This occurred for me after uninstalling ss and com_err in order to upgrade e2fsprogs. I have no idea if there's a connection.

 

Interesting, I did that at the same time openssh got upgraded, the plot thickens.

George

----------

## figueroa

During my more or less weekly update, the following was included:

 *Quote:*   

> [ebuild     U ] net-misc/openssh-5.1_p1-r1 [4.7_p1-r6]

 

This changed the login message behavior noted by all of you.  The solution to change PrintLastLog to no in etc/ssh/sshd_config made the desired correction.

As mindful pointed out in his post, if you are currently logged into the box via ssh, you have to take extra pains to bring sshd to a full stop then restart it.  An ordinary /etc/init.d/sshd restart won't cut it.

This does not seem to be related to the e2fsprogs ss com_err fiasco.  It just took place at the same time.

----------

## reillyeon

Ok, thanks.  That fixed the double "Last login:" message but it's still creating two entries that I see when I run "last".  Any ideas?

----------

## qriff

That did not fix anything, you changed the symptom of the same bug.

Just the mere definition of a setting named "PrintLastLog" is that when set to "Yes" there is a print of the last login, and vice versa.

Technically, setting "PrintLastLog" to "No" and still getting a print would be considered another bug.

Typical Gentoo ricing, anything that just hides anomalies is presented as a solution.

----------

## eaglex

This can be fixed by commenting out:

```
session                optional        pam_lastlog.so
```

from /etc/pam.d/system-login.

And for those wondering:

 *Quote:*   

> pam_lastlog is a PAM module to display a line of information about the last login of the user. In addition, the module maintains the /var/log/lastlog file.
> 
> Some applications may perform this function themselves. In such cases, this module is not necessary.

 

----------

## zeek

 *eaglex wrote:*   

> This can be fixed by commenting out:
> 
> ```
> session                optional        pam_lastlog.so
> ```
> ...

 

That effects everything that uses system-login, which I believe includes console logins.  IOW, console logins will no longer add a line to wtmp (lastlog).  Its better to edit /etc/pam.d/sshd instead to limit any potential side effects.  See the bug report:

https://bugs.gentoo.org/show_bug.cgi?id=244816#c5

----------

## qriff

Now there are some real theories and fixes.

Thank you eaglex and zeek

----------

## bunder

 *Quote:*   

> This changed the login message behavior noted by all of you. The solution to change PrintLastLog to no in etc/ssh/sshd_config made the desired correction. 

 

didn't work here.  masked =net-misc/openssh-5.1_p1-r1 on every single machine i own until they figure this crap out.   :Evil or Very Mad: 

----------

## eaglex

 *zeek wrote:*   

> IOW, console logins will no longer add a line to wtmp (lastlog).

 

Works for me.

```
$ last -1

eaglex   tty1                          Sat Nov 22 14:42 - 14:42  (00:00)
```

But you are right, it is better to double-check / modify only what bugs you.

----------

## qriff

Nowdays default /etc/pam.d/sshd uses only system-remote-login.

```
auth       include      system-remote-login

account    include      system-remote-login

password   include      system-remote-login

session    include      system-remote-login
```

----------

## ArNiS

I have got the same problem with double motd message after openssh update. It was successfully healed by commenting out 

#session                optional        pam_motd.so motd=/etc/motd

in /etc/pam.d/system-login

----------

## bunder

 *ArNiS wrote:*   

> I have got the same problem with double motd message after openssh update. It was successfully healed by commenting out 
> 
> #session                optional        pam_motd.so motd=/etc/motd
> 
> in /etc/pam.d/system-login

 

does that have any effect on local logins?  or logins that use pam, other than ssh?

thanks

----------

## xtz

If you don't use pam, the issue with the double-message does not appear. The problem is occuring only if openssh is compiled with 'pam' included in the USE flags.

----------

## ArNiS

 *bunder wrote:*   

> 
> 
> does that have any effect on local logins?  or logins that use pam, other than ssh?
> 
> thanks

 

Actually pam_motd.so is optional module. Doesn't seem like it have any effect on any other things except "message of the day"

----------

## the_g_cat

I don't know if some people are still hitting this "bug", but I had a little different approach: instead of changing the PAM configuration in system-login (which in my eyes is too deep-going a measure to just adjust some stuff for sshd), I copied the 5 session lines out of it and copied them in the sshd PAM file and commented the lines causing the double login.

The Only file I changed is /etc/pam.d/sshd to:

```
# cat /etc/pam.d/sshd

auth       include      system-remote-login

account    include      system-remote-login

password   include      system-remote-login

#session           include      system-remote-login

session         required        pam_env.so 

#session         optional        pam_lastlog.so 

session         include         system-auth

#session         optional        pam_motd.so motd=/etc/motd

session         optional        pam_mail.so 
```

This solves the double lastlog message, the double motd (if present) and the double entry in wtmp, leaving only the one with the tty (as opposed to the one with the process name set by pam).

Please be aware though, that any change to the session settings in system-remote-login or system-login will not be included in the sshd PAM config.

----------

## ziggysquatch

 *the_g_cat wrote:*   

> I don't know if some people are still hitting this "bug", but I had a little different approach: instead of changing the PAM configuration in system-login (which in my eyes is too deep-going a measure to just adjust some stuff for sshd), I copied the 5 session lines out of it and copied them in the sshd PAM file and commented the lines causing the double login.
> 
> The Only file I changed is /etc/pam.d/sshd to:
> 
> ```
> ...

 

I like that.  That's what I just set up.  Maybe I should make a separate one altogether, I think that this will eventually be overwritten with an etc-update if I don't pay attention (if these are included with those updates).

----------

## bunder

did this ever get fixed...  a proper way without completely breaking how pam works?

thanks

----------

