bugzilla-daemon at mindrot.org
2012-Nov-13 22:44 UTC
[Bug 2049] New: Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Priority: P5 Bug ID: 2049 Assignee: unassigned-bugs at mindrot.org Summary: Request for a configurable option for SFTP to display login information to the user after a successful login. Severity: enhancement Classification: Unclassified OS: Linux Reporter: rthornberry at alcatel-lucent.com Hardware: All Status: NEW Version: -current Component: sftp-server Product: Portable OpenSSH A configurable option for sftp is requested that would display login information to the user after a successful sftp login: After a successful sftp login, display the last valid login date and time and the number of consecutive unsuccessful login attempts prior to the current successful one made with that user?s ID. This information is useful to alert the user of potential misuse of the sftp login. This sftp display option should be implemented as a configurable run time or compile time option to ensure that existing functionality is preserved in cases where the optional display is not needed. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-22 23:54 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- There's not really such a thing as "an sftp login". There's only "logins" (or more correctly, authentications), after which zero or more sessions may be established, zero or more of which may ask for the sftp subsystem. For normal logins, "last logged in at" messages are collected from either PAM or from within sshd itself then sent to the user at the start of their shell session. For sftp sessions, there is no shell session. Potentially you could send the message back in a ssh protocol banner message (which sshd does in the case of a denial by the PAM account stack) but that change would affect all sessions, not just the sftp ones. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-23 00:26 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Created attachment 2194 --> https://bugzilla.mindrot.org/attachment.cgi?id=2194&action=edit Always send PAM auth+account messages via banner Here's one way you could do it: get sshd to always send the PAM account messages. You'd need pam_lastlog.so or equivalent in the PAM config, eg: account required pam_lastlog.so however in the case of linuxpam, pam_lastlog only supports "session" . -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-23 00:49 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> --- correction: it looks like the ability to run pam_lastlog in the account stack was added recently: http://www.linux-pam.org/Linux-PAM-html/sag-pam_lastlog.html (between 1.1.5 and 1.1.6 by the look of it). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2012-Nov-23 06:49 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t8m at centrum.cz --- Comment #4 from Tomas Mraz <t8m at centrum.cz> --- But the auth and account functionality of pam_lastlog is completely different from the session. It will lock out users that did not login on the system recently enough. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jan-09 01:48 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 kimha <kimha007 at yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kimha007 at yahoo.com --- Comment #5 from kimha <kimha007 at yahoo.com> --- Hello, I need to provide AT&T an update on this. Please let me know ALU's plan to move this forward. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jan-10 00:57 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2194| |ok+ Flags| | --- Comment #6 from Damien Miller <djm at mindrot.org> --- Comment on attachment 2194 --> https://bugzilla.mindrot.org/attachment.cgi?id=2194 Always send PAM auth+account messages via banner I have no objections for sending the messages on success as well as failure. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Feb-21 22:47 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #7 from R Thornberry <rthornberry at alcatel-lucent.com> --- When will this enhancement will be included in OpenSSH and in what release? I recommend that the Importance of this enhancement be changed from 5 to 1 because of the need to inform the sftp user of the date and time of the last valid login (authentication) and the number of consectutive login (authentication)attempts prior to the current successful one. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Apr-14 21:01 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 R Thornberry <rthornberry at alcatel-lucent.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 |P1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-24 23:15 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 R Thornberry <rthornberry at alcatel-lucent.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rthornberry at alcatel-lucent. | |com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-07 07:18 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 --- Comment #8 from Darren Tucker <dtucker at dtucker.net> --- Updated patch to current and applied. It's a slight improvement but I'm not sure it resolves the original report since AFAIK none of the original reporters tested it for their use case. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:49 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:52 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3162 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-19 04:14 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Michael Watters <wattersm at watters.ws> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wattersm at watters.ws --- Comment #9 from Michael Watters <wattersm at watters.ws> --- Not sure if this is related but I'm now seeing password expiration warnings when logging in as a user which does not have a password expiration date set. For example: [root at f33 test_keys]# ssh -i id_rsa user1 at localhost hostname 2>&1 Warning: your password will expire in 32766 days. This account is an LDAP user which is defined using the rfc2307bis schema. Also, this message does not appear when logging in to a server running OpenSSH 8.3 on Fedora 32. I have checked the sshd_config and pam.d configuration on both systems which shows no difference at all. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-19 07:52 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #10 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Michael Watters from comment #9)> [root at f33 test_keys]# ssh -i id_rsa user1 at localhost hostname 2>&1 > Warning: your password will expire in 32766 days.That sounds like one of the PAM stacks is returning that message, but previously not in a way sshd would send to the client. You can check this with my pam-test-harness tool: $ wget https://www.dtucker.net/patches/pam-test-harness.c $ cc -o pam-test-harness pam-test-harness.c -lpam $ sudo ./pam-test-harness -s sshd -u $LOGNAME which will give output something like: $Id: pam-test-harness.c,v 1.35 2020/11/19 07:36:45 dtucker Exp $ conversation struct {conv=0x4017cd, appdata_ptr=0x405210} pam_start(sshd, dtucker, &conv, &pamh) = 0 (Success) pam_get_item(pamh, PAM_SERVICE, ...) = 0 (Success) PAM_SERVICE = sshd (unchanged) pam_set_item(pamh, PAM_TTY, "/dev/pts/6") = 0 (Success) pam_set_item(pamh, PAM_RHOST, "[...]) = 0 (Success) getlogin returned NULL (No such device or address) , skipping PAM_RUSER pam_authenticate(pamh, 0x0) conversation called with 1 messages data 0x405210 PROMPT_ECHO_OFF: Password: = 0 (Success) pam_acct_mgmt(pamh, 0x0) = 0 (Success) pam_open_session(pamh, 0x0) = 0 (Success) pam_setcred(pamh, 0x0) = 0 (Success) pam_get_item(pamh, PAM_SERVICE, ...) = 0 (Success) PAM_SERVICE = sshd (unchanged) pam_get_item(pamh, PAM_USER, ...) = 0 (Success) PAM_USER = dtucker (unchanged) pam_get_item(pamh, PAM_TTY, ...) = 0 (Success) PAM_TTY = /dev/pts/6 (unchanged) Standard environment variables: PAM environment variables: [...] uid 0 euid 0 gid 0 egid 0 pam_close_session(pamh, 0) = 0 (Success) pam_end(pamh, 0) = 0 (Success) Does that also output the expiry warning and if so, after which pam call? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-19 22:46 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #11 from Michael Watters <wattersm at watters.ws> --- Thanks for the response. It looks like the problem was that the user did not have a password set in our LDAP database. I reset the password for the user and the warning message is no longer being displayed. Previously the password contained a null value which may be causing some issues in PAM. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:46 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3270 --- Comment #12 from Damien Miller <djm at mindrot.org> --- retarget to 8.6 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:50 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3217 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:49 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3302 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:50 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 --- Comment #13 from Damien Miller <djm at mindrot.org> --- retarget after 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:51 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3270 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jul-02 04:44 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Blocks|3302 | CC| |djm at mindrot.org Status|NEW |RESOLVED --- Comment #14 from Damien Miller <djm at mindrot.org> --- looks like the fix was committed a few releases ago. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:56 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #15 from Damien Miller <djm at mindrot.org> --- closing bugs resolved before openssh-8.9 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Sep-21 16:42 UTC
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
https://bugzilla.mindrot.org/show_bug.cgi?id=2049 Jordan Brown <mindrot at jordan.maileater.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mindrot at jordan.maileater.ne | |t --- Comment #16 from Jordan Brown <mindrot at jordan.maileater.net> --- This fix appears to have introduced a regression: it emits the accumulated loginmsg as a banner, but does not clear it and so later (in session.c, in do_login calling display_loginmsg) those messages are emitted again as plain session text. It looks like the fix would be to call sshbuf_reset(loginmsg) after calling userauth_send_banner(). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 2000] New: when using ssh with ControlMaster/ControlPersist, one may get zombie processes
- [Bug 1681] New: conversation function for passwd auth method assumes instead of fail
- [Bug 1676] New: Add NSS keys support
- [Bug 1671] New: Openssh does not run with the openssl 1.0.0-beta4
- [Bug 1119] Enhancement request for raising minimum acceptable key length.