Initially filed upstream at https://bugzilla.gnome.org/show_bug.cgi?id=694489 - we debugged it this morning with Ray and we found out the folllwing. On rawhide /etc/pam.d/postlogin has the following line session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed The first line translates to "if service doesn't match gdm*, skip one line below". This causes the bug described above for gdm - in case the service is gdm, the line will fail and proceed to the next one, which shows lastlog (it doesn't have the silent option), and at the same time, causes lastlog to be hidden for every other login. The correct fix is to just change the wrong !~ condition check to =~. That way, when the service is gdm, lastlog will be silent, and it will still display for every other login. Once you do that, you'll see logging in through sshd will display two lastlog lines, with slightly inconsistent output (e.g. the date formatting is different). That is because sshd, by default, shows its own lastlog line, which can be disabled by setting PrintLastLog to "no" in /etc/ssh/sshd_config. I think that default value should be changed together with the aforementioned change in postlogin file.
GDM needs to be able to display these messages sanely or forward them at least to the gnome-session to be displayed as notification. Of course then is the other question whether Fedora really needs to display the last login message and/or the previous failed logins message. As this is functionality that is required mostly only in enterprise deployments. We might switch it off in Fedora (only) but we will still need this feature in RHEL.
okay so there's three facets to this issue: 1) postlogin needs to be fixed to have the logic that was intended for it 2) gnome-shell (login screen mode) needs to be fixed to give the user time to read pam session messages before jumping to login 3) we need to figure out what we're going to do to address the "user should know when the session was last logged in" rhel requirement. We should talk to the designers about how to best achieve that.
i've filed an upstream bug ( https://bugzilla.gnome.org/show_bug.cgi?id=694688 ) to address 2.
1) is not a real bug - the configuration as is is intended (for RHEL at least, so we might change it before the Fedora 19 is released on the branch). The first line applies to gdm and the second to sshd and login as they display the 'last login' on their own.
Steve, can you please quote the specific requirements that apply to RHEL-7?
I was confused about 1) since we've pretty much inverted the logic since bug 881930 I talked to t8m on irc. The plan going forward is: a) he's going to take this out when f19 branches b) I'm going to fix the gnome-shell issue c) we're going to see if we can come up with a better answer than pam_lastlog to address this for rhel (just like ssh and login don't use pam_lastlog because they do it themselves) The right answer for c) depends on the response for comment 5 and some back and forth with the designers i guess.
Also note that for c) it is true only for the "last successful login message" not for the "previous bad attempts to login message" as this message is still displayed by pam_lastlog for both sshd and login (showfailed option).
For the record, the requirement we are meeting comes from NIST SP800-53. In it the "AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION" control asks for the following. Control: The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access). Control Enhancements: (1) The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. This applies to ALL os, not just RHEL7. We fixed this for console on RHEL6 already.
What we do for the RHELs are one thing, but f19 is getting close, and these messages really take away from the login experience. t8m I fixed b) a while ago, can you do a) ?
(In reply to Ray Strode [halfline] from comment #10) > What we do for the RHELs are one thing, but f19 is getting close, and these > messages really take away from the login experience. t8m I fixed b) a while > ago, can you do a) ? Yeah can we get that in before the freeze please?
drago, already done as of: https://admin.fedoraproject.org/updates/FEDORA-2013-10781/authconfig-6.2.6-3.fc19.1,pam-1.1.6-11.fc19.1
(In reply to Tomas Mraz from comment #12) > drago, already done as of: > https://admin.fedoraproject.org/updates/FEDORA-2013-10781/authconfig-6.2.6-3. > fc19.1,pam-1.1.6-11.fc19.1 Thanks!
I'm seeing this behavior again on Fedora 26. I will point out that I'm using a custom installation that only has @core, mesa-dri-drivers, gdm, and gnome-shell. authconfig-7.0.1-2.fc26 pam-1.3.0-2.fc26 gdm-3.24.2-1.fc26 If there is an RPM from the workstation group that I'm missing due to my custom setup that removes the lastlog messages, please let me know.
And what do you see in the /etc/pam.d/postlogin* ?
> #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > > session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet > session [default=1] pam_lastlog.so nowtmp showfailed > session optional pam_lastlog.so silent noupdate showfailed
Is the /etc/pam.d/postlogin a symlink to /etc/pam.d/postlogin-ac? If not, the authconfig is not being run on install. The default shipped in pam contains the showfailed instead of silent.
It was not. Running `authconfig --update` resolved the issue for me. I guess that is run during the normal installation and I skipped it doing it my custom way. Thanks!