This is a regression caused by the fix for bug 139539 in the setup package.

I don't think this is a sshd bug, for example the login binary doesn't work well
with missing lastlog file too (it won't create the file, so the last login
information is lost).

I'd suggest touching the lastlog file in the post install script of the setup
package if it has to be %ghost and not %config.

This is *theoretically* created by useradd; did the behavior change there?

If it changed it is not a recent change - on a FC3 box:
root@perun:~# ls -l /var/log/lastlog
-r--------  1 root root 146584 Mar 23 09:04 /var/log/lastlog
root@perun:~# rm /var/log/lastlog
rm: remove regular file `/var/log/lastlog'? y
root@perun:~# useradd testuser2
root@perun:~# ls -l /var/log/lastlog
ls: /var/log/lastlog: No such file or directory

Unfortunately, setup *cannot* have prereqs, as it would create an unsolvable
dependency loop.

So, the creation would have to be somewhere else. :/

Candidates are shadow-utils, sysklogd, logrotate, util-linux... ?

I vote for util-linux then as login is a part of the package.

Should the util-linux package also own the file as %ghost?

If it creates it, probably.

The login doesn't create /var/log/lastlog :-(

I don't know how many programs write something to the 'lastlog', but I think
each program that write something to 'lastlog' have to use something like:

  open(PATH_LASTLOG, O_RDWR | O_CREATE, 0)
                              ^^^^^^^^^

Or is there any reason why only (any) install script should be create it? IMHO
it's important file and it should be created always when it missing in system.

Well, the messages from sshd are from the portions that simply read it to get
the last login time. I suppose you could argue that they could be silenced in
that case, but I don't think making the file is correct there.

*** Bug 152635 has been marked as a duplicate of this bug. ***