I had "PrintLastLog yes" in my sshd_config for many years but after upgrade to 10.3 I got this error message: /etc/ssh/sshd_config line 112: Unsupported option PrintLastLog It is confusing because "#PrintLastLog yes" is still included in default sshd_config file and mentioned in manpage. Is it error in default config or error in sshd? What should be fixed? I found in /usr/src/crypto/openssh/servconf.c #ifdef DISABLE_LASTLOG { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, #else { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, #endif Does it means that new sshd in FreeBSD 10.3 was (un)intentionally compiled with "DISABLE_LASTLOG" (--disable-lastlog) We have own buildserver with svnup /usr/src and buildworld & buildkernel and installkernel & installworld # cat /etc/src.conf WITHOUT_KERNEL_SYMBOLS=yes # cat /etc/make.conf WITH_PKGNG= yes SVN_UPDATE=yes SVN="/usr/local/bin/svnup" SVNFLAGS="" WITH_GHOSTSCRIPT_VER=9 DEFAULT_VERSIONS= perl=5.20 mysql=5.5m php=55 python=2.7 apache=2.4 ## https://wiki.freebsd.org/Ports/Options/OptionsNG ## OptionsNG sets DOCS, EXAMPLES and NLS as default - we do not need them OPTIONS_UNSET= X11 GUI CUPS DOCS EXAMPLES NLS ## cd /usr/ports/www/apache22 && make print-closest-mirrors MASTER_SITE_APACHE_HTTPD?= http://apache.miloslavbrada.cz/httpd/ http://mirror.hosting90.cz/apache/httpd/ ftp://mirror.hosting90.cz/apache/httpd/ http://www.eu.apache.org/dist/httpd/ ## closest PHP mirror MASTER_SITE_PHP= http://cz.php.net/%SUBDIR%/
I just upgraded a 10.1 machine to 10.3 and got exactly the same. 2016-11-04 15:28:02 +01:00 foobar sshd[3899]: rexec line 12: Unsupported option PrintLastLog What gives?
PrintLastLog is also in FreeBSD 11.0-RELEASE sshd_config and man page
+1 The docs says it's a valid option but sshd complaints about it.
It's a bad regression and I am sad nobody cares about it. Why we have bugzilla then?
related commits: https://lists.freebsd.org/pipermail/svn-src-all/2013-March/065999.html https://lists.freebsd.org/pipermail/svn-src-all/2013-March/066000.html
(In reply to llua from comment #5) Fine, DES made this commit, but it still doesn't explain who approved this POLA violation (breakage after upgrade) and why FreeBSD is still shipped with PrintLastLog in default config and documentation. So this should be reverted of other parts must be fixed. I am disappointed that this serious issue has no attention of the RE team or committers.
Based on the commit message for https://svnweb.freebsd.org/base?view=revision&revision=247893 is sounds like this this should never worked in 10 and was only there as the configure script incorrectly detected utmp / lastlog. That said it appears that lastlog in sshd supports utmpx via getutxuser. Digging some more it seems like this may well be a change in behaviour of the openssh DISABLE_LASTLOG from the upstream 7.2p1 change set: e#diff-267d507f9cf4a70e051aaeecb89ad93bR509 This wasn't merged through until 7.2p2: https://svnweb.freebsd.org/base?view=revision&revision=296633 Given this I think this was unintended and there should a new commit to remove --disable-lastlog which was added here: https://svnweb.freebsd.org/base/head/crypto/openssh/FREEBSD-upgrade?r1=247892&r2=247891&pathrev=247892
Miroslav: the problem is (or was, at the time) that the configure script looks for the actual log files rather than the APIs. If you try to build OpenSSH on a machine that was upgraded from an older FreeBSD version and still has old log files lying around, the configure script will enable lastlog and the build will fail. Conversely, it may incorrectly disable lastlog on a system that supports it if you try to configure and build in a pristine chroot or jail (like poudriere does), because the log files aren't created until someone logs in. Steven: the bug is not that PrintLastLog doesn't work. It *can't* work, because FreeBSD doesn't have that API any more. The bug is that it is still documented.
From my cursory checking it looks like openssh can use utmpx to provide PrintLastLog, which FreeBSD does have, however setting DISABLE_LASTLOG disables all methods of supporting sPrintLastLog hence the issue?
I'll have to double-check the code. At the time, DISABLE_LASTLOG was required to make OpenSSH build.
Yes indeed it looks like this was addressed in openssh 7.2p1
Is this resolved then?
Anybody have fixed this ? Which is the correct way to enable back the PrintLastLog option ?
(In reply to Natalino Picone from comment #13) I think it does not work and will not work. I don't use it anymore, I have commented it out on all machines.
(In reply to Miroslav Lachman from comment #14) Thanks, I was looking for a way to custom build it with that option enabled as utmpx issues look fixed now. Which alternatives do I have to print last failed login when connecting ?
Just adding that this still occurs in FreeBSD 12.1-RELEASE-p10. Not a blocker for me in any way though.
It looks like this originated in commit a2438bbd28eb35a8968d193ac89b30a90e96f719 Author: Damien Miller <djm@mindrot.org> Date: Fri Mar 15 10:23:07 2013 +1100 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform is unable to successfully compile them. Based on patch from des AT des.no which added +AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ + AC_DEFINE([DISABLE_LASTLOG]) <------- + ], [ +#ifdef HAVE_SYS_TYPES_H +#include <sys/types.h> +#endif +#ifdef HAVE_UTMP_H +#include <utmp.h> +#endif +#ifdef HAVE_UTMPX_H +#include <utmpx.h> +#endif +#ifdef HAVE_LASTLOG_H +#include <lastlog.h> +#endif + ]) this defines DISABLE_LASTLOG if we don't have lastlog.ll_line, but this is used only in (the two implementations of) lastlog_get_entry; utmpx_get_entry is still functional. Can you try building with this change? diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h index 943f8c6e4b6e..4e0261b6a60a 100644 --- a/crypto/openssh/config.h +++ b/crypto/openssh/config.h @@ -113,7 +113,7 @@ /* #undef DISABLE_FD_PASSING */ /* Define if you don't want to use lastlog */ -#define DISABLE_LASTLOG 1 +/* #undef DISABLE_LASTLOG */ /* Define if you don't want to use your system's login() call */ /* #undef DISABLE_LOGIN */
This is a bug in OpenSSH upstream and I've sent mail to the openssh-unix-devel mailing list about it. This patch is probably closer to the proper fix; please give it a try: diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 6eaf9c2876ff..45587631cb8b 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -611,7 +611,7 @@ static struct { { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, -#ifdef DISABLE_LASTLOG +#if defined(DISABLE_LASTLOG) && defined(DISABLE_UTMPX) { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, #else { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, @@ -2915,7 +2915,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); dump_cfg_fmtint(sPrintMotd, o->print_motd); -#ifndef DISABLE_LASTLOG +#if !defined(DISABLE_LASTLOG) || !defined(DISABLE_UTMPX) dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); #endif dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
(In reply to Ed Maste from comment #18) Just noticed this as well, and the patch takes care of the problem.
(In reply to Yuri Pankov from comment #19) Actually after a little more thought I believe the right fix is: /* Define if you don't want to use lastlog */ -#define DISABLE_LASTLOG 1 +/* #undef DISABLE_LASTLOG */ and should be addressed upstream by fixing configure
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=43c6b7a60aff069da7e0ba6c87d3d7a532e812f6 commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-20 00:09:13 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-04-20 01:17:59 +0000 openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation crypto/openssh/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=170511589e4d15a27ee92979691cfc1b26929bb7 commit 170511589e4d15a27ee92979691cfc1b26929bb7 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-20 00:03:26 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-04-20 22:08:16 +0000 openssh: Update configure for DISABLE_LASTLOG PR: 209441 Sponsored by: The FreeBSD Foundation crypto/openssh/configure.ac | 1 + 1 file changed, 1 insertion(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=170520f882297617eaee7665a6813d03243e87a4 commit 170520f882297617eaee7665a6813d03243e87a4 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-20 00:09:13 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-04-27 16:45:37 +0000 openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation (cherry picked from commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6) (cherry picked from commit 170511589e4d15a27ee92979691cfc1b26929bb7) crypto/openssh/config.h | 2 +- crypto/openssh/configure.ac | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=545163d9bc9c807cad78577bfe3346efb2d02482 commit 545163d9bc9c807cad78577bfe3346efb2d02482 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-20 00:09:13 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-04-27 16:48:33 +0000 openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation (cherry picked from commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6) (cherry picked from commit 170511589e4d15a27ee92979691cfc1b26929bb7) (cherry picked from commit 170520f882297617eaee7665a6813d03243e87a4) crypto/openssh/config.h | 2 +- crypto/openssh/configure.ac | 1 + 2 files changed, 2 insertions(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d5e2d0f140cef6d09c4ddeb594cee027642366a7 commit d5e2d0f140cef6d09c4ddeb594cee027642366a7 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-07-18 16:23:31 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-07-18 16:27:02 +0000 openssh: document a locally-applied workaround We have a local hacky workaround for an issue caused by a hacky upstream autoconf test. Reported upstream on the OpenSSH mailing list: https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation crypto/openssh/FREEBSD-upgrade | 8 ++++++++ 1 file changed, 8 insertions(+)