[SRU] login: remove pam_lastlog.so from config

/etc/pam.d/login references the module:

session optional pam_lastlog.so

i acknowledge that pam_lastlog.so is indeed removed from this package

Status changed to 'Confirmed' because the bug affects multiple users.

Hello!

Can't run my system properly whith this one, all the time can't pass the login screen. While you fixing it is there any workaround?

pam_lastlog is deprecated but should be replaced with pam_lastlog2
which is now packaged with util-linux

but the util-linux shipped with noble is 2.39.3-9ubuntu6
and it seems that its only packaged with util-linux => 2.40

Andrei, try to log in via multiple methods. Every service (ssh, login, gdm, xdm, etc) has its own PAM configuration and some of them may reference this module and some may not.

Once you've logged in, edit the files in /etc/pam.d/ that reference this module. Remove or comment them out. Save, then test. Don't quit any root shells in the process of testing, because changing PAM configuration can lock you out of your system -- as you've discovered.

Thanks

Hi

I think this is related to an issue with last and lastlog.

I have users who log in via ssh, but do not show with last or lastlog.

Solution might be with /etc/pam.d/sshd
https://unix.stackexchange.com/questions/348620/why-my-linux-doesnt-display-last-login-date

Hi,

As suggested before, i edited the file /etc/pam.d/login :

sudo nano /etc/pam.d/login

and commented this line with #, and restarted :

#session optional pam_lastlog.so

is there any possibility to upgrade util-linux to 2.40 in noble repository
so this issue can be solved?

triage: remove pam_lastlog.so from configuration following the debian change

Hi all,

I spent some time reproducing this issue, thus far, it seems as though this issue is entirely cosmetic - I've only been able to reproduce the annoying log message, but have failed to reproduce any issues actually logging in. Can anyone please confirm to me that this issue is purely cosmetic?

@bogatav do you have any more details about your system you can provide which will help me to reproduce your issue? Otherwise, I will SRU a fix only to stop the occurrence of the log message regarding pam_lastlog.so.

Since this is an SRU, I won't apply the whole patch as debian did:
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1068229;filename=shadow-4.13%2Bdfsg1-4.1-nmu.diff;msg=39

I plan to just remove the mention of pam_lastlog.so from debian/login.pam. Removing mentions of the lastlog binary may break any scripts using lastlog.

I believe it is a problem, since it seems to be causing "last" not to work correctly.

Removing the entry in /etc/pam.d/login will just clean up the /var/log/auth.log file and not fix the missing entry in /var/log/wtmp - right?

Hi Mikael,

The missing entry in /var/log/wtmp is a pre-existing issue. To fix that in noble would involve a separate SRU, to my understanding. We would need to SRU changes from util-linux/2.40* (which includes pam_lastlog2.so) to noble, as well as SRU'ing changes to shadow which would involve depending on the lastlog2 binary instead of lastlog.

This SRU is about getting rid of the noisy log messages from /var/log/auth.log

Thanks, and please let me know if you believe this to be inaccurate.

MP attached to bug, ready for review, I think

Staging this bug with block-proposed-noble as the impact isn't high enough to warrant an upload on it's own. This is a nice-to-have, fixing a cosmetic issue, and should be bundled with another SRU.

Looking for sponsorship for this!

Hello Alfonso, or anyone else affected,

Accepted shadow into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shadow/1:4.13+dfsg1-4ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I performed a fresh noble install in a VM, first I verified that the issue was still persistent. See screenshot attached

Then, (in GDM, not a tty) I downloaded:
http://launchpadlibrarian.net/761035045/login_4.13+dfsg1-4ubuntu3.3_amd64.deb

Ran:
```
sudo apt install ./login_4.13+dfsg1-4ubuntu3.3_amd64.deb
```
verified that the problematic entry was no longer present in /etc/pam.d/login:
```
$ cat /etc/pam.d/login | grep lastlog
$ echo $?
1
$
```
Then, I logged back in via tty, and took the screenshot attached in this comment, verifying that the log message no longer persists.

update to login 4.13+dfsg1-4ubuntu3.3 solved problem

All autopkgtests for the newly accepted shadow (1:4.13+dfsg1-4ubuntu3.3) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

autopkgtest/5.38ubuntu1~24.04.1 (arm64)
samba/2:4.19.5+dfsg-4ubuntu9 (s390x)
samba/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#shadow

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!