Re: Sarge: Lost # of failed logins
On Fri, Jul 27, 2007 at 20:14:02 -0500, Mumia W.. wrote: > On 07/27/2007 05:55 PM, Andrew Sackville-West wrote: >> On Fri, Jul 27, 2007 at 02:53:54PM -0500, Mumia W.. wrote: >>> [...] >>> The "faillog" command doesn't give any output to me, and /var/log/faillog >>> is still zero bytes. >> so, what mechanism writes the faillog. Maybe it panics on bad perms? >> mine are 0644 root:root >> A > > Same here. I can remove /var/log/faillog on my system (Sid-amd64) and create a new one with "touch" (empty file, permissions like yours). After the first failed login the file is 32KB long (the same length as it had before) and both the login failure messages and the faillog command work normally again. I would of course be very worried if the faillog file disappeared on its own all of a sudden. (Now that I have become aware of its existence in the course of this thread.) Likewise, it would be suspicious if the empty "seed" file remained unchanged after subsequent login failures. -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On 07/27/2007 05:55 PM, Andrew Sackville-West wrote: On Fri, Jul 27, 2007 at 02:53:54PM -0500, Mumia W.. wrote: [...] The "faillog" command doesn't give any output to me, and /var/log/faillog is still zero bytes. so, what mechanism writes the faillog. Maybe it panics on bad perms? mine are 0644 root:root A Same here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On Fri, Jul 27, 2007 at 02:53:54PM -0500, Mumia W.. wrote: > On 07/27/2007 09:16 AM, Florian Kulzer wrote: >> On Fri, Jul 27, 2007 at 08:50:46 -0500, Mumia W.. wrote: >> [...] >>> Hmm. My /var/log/faillog was missing, but even when I 'touch' it, the >>> behavior doesn't change. My FAILLOG_ENAB is also "yes" in >>> /etc/login.defs. >> Do you get the normal output when you run "faillog"? >> $ faillog >> Login Failures Maximum Latest On >> root00 07/09/07 09:44:25 +0200 tty1 >> florian 00 07/27/07 09:15:42 +0200 tty1 >> [...] > > The "faillog" command doesn't give any output to me, and /var/log/faillog > is still zero bytes. so, what mechanism writes the faillog. Maybe it panics on bad perms? mine are 0644 root:root A signature.asc Description: Digital signature
Re: Sarge: Lost # of failed logins
On 07/27/2007 09:16 AM, Florian Kulzer wrote: On Fri, Jul 27, 2007 at 08:50:46 -0500, Mumia W.. wrote: [...] Hmm. My /var/log/faillog was missing, but even when I 'touch' it, the behavior doesn't change. My FAILLOG_ENAB is also "yes" in /etc/login.defs. Do you get the normal output when you run "faillog"? $ faillog Login Failures Maximum Latest On root00 07/09/07 09:44:25 +0200 tty1 florian 00 07/27/07 09:15:42 +0200 tty1 [...] The "faillog" command doesn't give any output to me, and /var/log/faillog is still zero bytes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On Fri, Jul 27, 2007 at 08:50:46 -0500, Mumia W.. wrote: [...] > Hmm. My /var/log/faillog was missing, but even when I 'touch' it, the > behavior doesn't change. My FAILLOG_ENAB is also "yes" in /etc/login.defs. Do you get the normal output when you run "faillog"? $ faillog Login Failures Maximum Latest On root00 07/09/07 09:44:25 +0200 tty1 florian 00 07/27/07 09:15:42 +0200 tty1 > In my /etc/pam.d/login file, "session optional pam_lastlog.so" is > enabled. I have the same entry. My impression is that this module is responsible for the "Last login: $DATE on $TERMINAL" output. The message "n failure(s) since last login" seems to triggered later, after pam_motd.so and pam_mail.so have done their job. -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On 07/27/2007 05:57 AM, Florian Kulzer wrote: On Thu, Jul 26, 2007 at 20:44:49 -0700, Andrew Sackville-West wrote: On Thu, Jul 26, 2007 at 05:52:00PM -0600, Bob Proulx wrote: Florian Kulzer wrote: I have been using Debian for about 5 years now. As far as I remember, it always had the "n failure(s) since last login" message (if n was greater than zero). I have never seen that message. it works reliably on this particular up-to-date sid box, shows the proper number of failures. I think it must come from login, but I can't see what might cause to happen or not. [...] I do _not_ get this message over ssh, so it must come from that pair -- login or getty... I think this is controlled in /etc/login.defs: # # Enable logging and display of /var/log/faillog login failure info. # This option conflicts with the pam_tally PAM module. # FAILLOG_ENAByes [...] Hmm. My /var/log/faillog was missing, but even when I 'touch' it, the behavior doesn't change. My FAILLOG_ENAB is also "yes" in /etc/login.defs. In my /etc/pam.d/login file, "session optional pam_lastlog.so" is enabled. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On 07/26/2007 10:44 PM, Andrew Sackville-West wrote: On Thu, Jul 26, 2007 at 05:52:00PM -0600, Bob Proulx wrote: Florian Kulzer wrote: I have been using Debian for about 5 years now. As far as I remember, it always had the "n failure(s) since last login" message (if n was greater than zero). I have never seen that message. it works reliably on this particular up-to-date sid box, shows the proper number of failures. I think it must come from login, but I can't see what might cause to happen or not. [...] And it works on my Etch box, but my main box is still this Sarge computer. Nothing in /etc/profile, ~/.bash_profile or ~/.bashrc seems to produce this message. Surely the message comes from the 'login' command, but I can't see what feature of login enables that. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On Thu, Jul 26, 2007 at 20:44:49 -0700, Andrew Sackville-West wrote: > On Thu, Jul 26, 2007 at 05:52:00PM -0600, Bob Proulx wrote: > > Florian Kulzer wrote: > > > I have been using Debian for about 5 years now. As far as I remember, it > > > always had the "n failure(s) since last login" message (if n was greater > > > than zero). > > > > I have never seen that message. > > it works reliably on this particular up-to-date sid box, shows the > proper number of failures. I think it must come from login, but I > can't see what might cause to happen or not. [...] > I do _not_ get this message over ssh, so it must come from that pair > -- login or getty... I think this is controlled in /etc/login.defs: # # Enable logging and display of /var/log/faillog login failure info. # This option conflicts with the pam_tally PAM module. # FAILLOG_ENAByes I do have the pam_tally.so module in /lib/security/, but it seems that it is not used in my present (Debian-default) PAM configuration. Bob Proulx and I are currently doing a brute-force comparison of all our installed packages and relevant configuration files. We will see if this turns up additional clues. -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On Thu, Jul 26, 2007 at 05:52:00PM -0600, Bob Proulx wrote: > Florian Kulzer wrote: > > I have been using Debian for about 5 years now. As far as I remember, it > > always had the "n failure(s) since last login" message (if n was greater > > than zero). > > I have never seen that message. it works reliably on this particular up-to-date sid box, shows the proper number of failures. I think it must come from login, but I can't see what might cause to happen or not. > > > I never had to do anything to set it up, therefore I > > unfortunately don't know exactly how it works. My best guess is that it > > involves some PAM modules which parse /var/log/faillog and/or use the > > "faillog" command. Maybe this link helps to track it down: > > I always have a ~/.hushlogin. When I remove it I still never see > failures. I see this instead: > > Last login: Thu Jul 26 17:32:14 2007 from dementia.proulx.com > > If you create a .hushlogin file for you does your login failure > message at login go away? > > touch ~/.hushlogin > I see _nothing_ with a ~/.hushlogin and everything: motd, Last login, failures etc, without ~/.hushlogin > The sshd uses the presence of .hushlogin to silence the banner. In > the sshd man page: > > 1. If the login is on a tty, and no command has been specified, > prints last login time and /etc/motd (unless prevented in the > configuration file or by $HOME/.hushlogin; see the FILES section). > I do _not_ get this message over ssh, so it must come from that pair -- login or getty... A signature.asc Description: Digital signature
Re: Sarge: Lost # of failed logins
Florian Kulzer([EMAIL PROTECTED]) is reported to have said: > On Thu, Jul 26, 2007 at 13:51:27 -0600, Bob Proulx wrote: > > Mumia W.. wrote: > > > I'm using Sarge. When I log in, I no longer get a message telling me the > > > # of failed logins. > > > > > > For example, if I try to login but use a wrong password, when I try > > > again using the real password, I should see a message saying "1 failed > > > login attempts." I no longer get that message. > > > > I personally have never seen such a message. You must have previously > > installed or configured something that added that functionality. > > I have been using Debian for about 5 years now. As far as I remember, it > always had the "n failure(s) since last login" message (if n was greater > than zero). I never had to do anything to set it up, therefore I > unfortunately don't know exactly how it works. My best guess is that it > involves some PAM modules which parse /var/log/faillog and/or use the > "faillog" command. Maybe this link helps to track it down: > > http://linux.sys-con.com/read/49058.htm > > (search for "faillog" on that page) Florian I still have the results you 'had'. I tried logging in, twice, with a bad passwd. Got the following. Last login: Thu Jul 26 21:01:03 2007 on tty6 Linux dj 2.6.18-4-amd64 #1 SMP Fri May 4 00:37:33 UTC 2007 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. 1 failure since last login. BUT I failed twice! Last was Thu 26 Jul 2007 09:06:23 PM EDT on tty5. I seems to be coming from something after the motd but before the .bash_profile and .bashrc. Running etch on a new system and just noticed I had not enabled the boot log, so can't check that right now. Sorry. Wayne -- There were computers in Biblical times. Eve had an Apple. ___ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
Florian Kulzer wrote: > I have been using Debian for about 5 years now. As far as I remember, it > always had the "n failure(s) since last login" message (if n was greater > than zero). I have never seen that message. > I never had to do anything to set it up, therefore I > unfortunately don't know exactly how it works. My best guess is that it > involves some PAM modules which parse /var/log/faillog and/or use the > "faillog" command. Maybe this link helps to track it down: I always have a ~/.hushlogin. When I remove it I still never see failures. I see this instead: Last login: Thu Jul 26 17:32:14 2007 from dementia.proulx.com If you create a .hushlogin file for you does your login failure message at login go away? touch ~/.hushlogin The sshd uses the presence of .hushlogin to silence the banner. In the sshd man page: 1. If the login is on a tty, and no command has been specified, prints last login time and /etc/motd (unless prevented in the configuration file or by $HOME/.hushlogin; see the FILES section). But I never see anything about failures, just the motd and the last login time. So I don't think this is it. I am very curious as to what outputs for you the faillog! Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
On Thu, Jul 26, 2007 at 13:51:27 -0600, Bob Proulx wrote: > Mumia W.. wrote: > > I'm using Sarge. When I log in, I no longer get a message telling me the > > # of failed logins. > > > > For example, if I try to login but use a wrong password, when I try > > again using the real password, I should see a message saying "1 failed > > login attempts." I no longer get that message. > > I personally have never seen such a message. You must have previously > installed or configured something that added that functionality. I have been using Debian for about 5 years now. As far as I remember, it always had the "n failure(s) since last login" message (if n was greater than zero). I never had to do anything to set it up, therefore I unfortunately don't know exactly how it works. My best guess is that it involves some PAM modules which parse /var/log/faillog and/or use the "faillog" command. Maybe this link helps to track it down: http://linux.sys-con.com/read/49058.htm (search for "faillog" on that page) -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sarge: Lost # of failed logins
Mumia W.. wrote: > I'm using Sarge. When I log in, I no longer get a message telling me the > # of failed logins. > > For example, if I try to login but use a wrong password, when I try > again using the real password, I should see a message saying "1 failed > login attempts." I no longer get that message. I personally have never seen such a message. You must have previously installed or configured something that added that functionality. > How do I get it back, and what could I have changed to make it go away > in the first place? It sounds to me that this was a local configuration that you had created previously. Whatever you did before you would need to do again or debug. By the way... Sarge is now oldstable and the new stable is Etch. Consider upgrading. Eventually security upgrade support for Sarge will be dropped. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Sarge: Lost # of failed logins
I'm using Sarge. When I log in, I no longer get a message telling me the # of failed logins. For example, if I try to login but use a wrong password, when I try again using the real password, I should see a message saying "1 failed login attempts." I no longer get that message. How do I get it back, and what could I have changed to make it go away in the first place? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]