Description of problem: I don't know if this is two bugs or one. First, lastlog does NOT show in its list any users i'v added ( including me, bruce, which i added at system installation) Second, lastlog DOES show root user in its list, but as **Never logged in** which is incorrect. [root@localhost ~]$ lastlog Username Port From Latest root **Never logged in** bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in** halt **Never logged in** mail **Never logged in** news **Never logged in** uucp **Never logged in** operator **Never logged in** games **Never logged in** gopher **Never logged in** ftp **Never logged in** nobody **Never logged in** vcsa **Never logged in** rpc **Never logged in** ntp **Never logged in** nscd **Never logged in** apache **Never logged in** mailnull **Never logged in** smmsp **Never logged in** sshd **Never logged in** rpcuser **Never logged in** tcpdump **Never logged in** rpm **Never logged in** dbus **Never logged in** avahi **Never logged in** torrent **Never logged in** xfs **Never logged in** haldaemon **Never logged in** gdm **Never logged in** hsqldb **Never logged in** Missing from the above list is users bruce and lisa and root shows as **Never logged in** which is incorrect. Furthermore, the command "last" does show login information for root, bruce and lisa: [root@localhost ~]# last bruce pts/1 :0.0 Thu Jun 28 12:50 still logged in bruce pts/0 :0.0 Thu Jun 28 12:27 still logged in bruce pts/0 :0.0 Thu Jun 28 12:27 - 12:27 (00:00) bruce :0 Thu Jun 28 12:25 still logged in root pts/0 :0.0 Thu Jun 28 12:23 - 12:25 (00:01) root :0 Thu Jun 28 12:23 - 12:25 (00:02) [snip] lisa :0 Sun Jun 10 11:48 - 11:50 (00:01) How reproducible: Type lastlog at the prompt ( as root or user ) and root user incorrectly shows as **Never logged in** and regular users are missing from the list. Expected results: lastlog should correctly show all users and when the users were last logged in.
I can't reproduce it. :( # useradd foo # lastlog | grep foo foo **Never logged in** # passwd foo Changing password for user foo. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # ssh foo@localhost foo@localhost's password: $ lastlog | grep foo foo pts/1 localhost.locald Fri Jun 29 12:39:09 +0400 2007 # rpm -q shadow-utils shadow-utils-4.0.18.1-13.fc7 # rpm -q fedora-release fedora-release-7.89-1
Peter, thanks for your quick response. I guess I was misunderstanding how lastlog works and how it is different than last. I incorrectly thought that a "su" or regular user login at boot would show in lastlog. I see now that lastlog only records remote logins from such things as sshd. And I had disabled sshd on this box, and had never remotely logged in. I enabled sshd and ssh'd into a user and the login was now displayed via lastlog just fine. What got me going on this was the chkrootkit warning: "Checking `z2'... user root deleted or never logged from lastlog!" Also, it's interesting that the manpage for lastlog does not state that it logs only remote logins and not local logins.
lastlog works also with local logins on tty1 for example.