I've read the wiki page. I'm fine with the proposed approach. I note that by including pam_lastlog2.so in a pam-auth-update configuration, other services (gdm, for example) will include lastlog info.
The fact that gdm and other display managers do not include pam_lastlog.so suggests that it's usage is not all that important. If pam_lastlog2 is also a session module, I recommend it only be used for interactive sessions To do this include the following in the pam-auth-update config: Session-Interactive-Only: yes
signature.asc
Description: PGP signature