Bug 209441

Summary: SSHd in FreeBSD 10.3 complains about PrintLastLog
Product: Base System Reporter: Miroslav Lachman <000.fbsd>
Component: binAssignee: Ed Maste <emaste>
Status: Closed FIXED    
Severity: Affects Some People CC: amd64, amontalban, des, elofu17, emaste, jasonmader, jon, llua, natalino.picone, re, smh, trekie, yuripv
Priority: ---    
Version: 12.1-RELEASE   
Hardware: amd64   
OS: Any   

Description Miroslav Lachman 2016-05-10 23:56:19 UTC 
I had "PrintLastLog yes" in my sshd_config for many years but after upgrade to 10.3 I got this error message:

/etc/ssh/sshd_config line 112: Unsupported option PrintLastLog

It is confusing because "#PrintLastLog yes" is still included in default sshd_config file and mentioned in manpage.

Is it error in default config or error in sshd? What should be fixed? 


I found in /usr/src/crypto/openssh/servconf.c

#ifdef DISABLE_LASTLOG
        { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
#else
        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
#endif


Does it means that new sshd in FreeBSD 10.3 was (un)intentionally compiled with "DISABLE_LASTLOG" (--disable-lastlog)


We have own buildserver with svnup /usr/src and  buildworld & buildkernel  and installkernel & installworld 

# cat /etc/src.conf

WITHOUT_KERNEL_SYMBOLS=yes



# cat /etc/make.conf

WITH_PKGNG= yes

SVN_UPDATE=yes
SVN="/usr/local/bin/svnup"
SVNFLAGS=""


WITH_GHOSTSCRIPT_VER=9

DEFAULT_VERSIONS= perl=5.20 mysql=5.5m php=55 python=2.7 apache=2.4

## https://wiki.freebsd.org/Ports/Options/OptionsNG
## OptionsNG sets DOCS, EXAMPLES and NLS as default - we do not need them
OPTIONS_UNSET= X11 GUI CUPS DOCS EXAMPLES NLS


## cd /usr/ports/www/apache22 && make print-closest-mirrors
MASTER_SITE_APACHE_HTTPD?= http://apache.miloslavbrada.cz/httpd/ http://mirror.hosting90.cz/apache/httpd/ ftp://mirror.hosting90.cz/apache/httpd/ http://www.eu.apache.org/dist/httpd/

## closest PHP mirror
MASTER_SITE_PHP= http://cz.php.net/%SUBDIR%/
Comment 1 elofu17 2016-11-04 14:29:25 UTC 
I just upgraded a 10.1 machine to 10.3 and got exactly the same.

2016-11-04 15:28:02 +01:00 foobar sshd[3899]: rexec line 12: Unsupported option PrintLastLog

What gives?
Comment 2 Jason Mader 2016-11-04 16:06:19 UTC 
PrintLastLog is also in FreeBSD 11.0-RELEASE sshd_config and man page
Comment 3 Andres Montalban 2017-01-06 20:32:29 UTC 
+1

The docs says it's a valid option but sshd complaints about it.
Comment 4 Miroslav Lachman 2017-01-06 21:48:13 UTC 
It's a bad regression and I am sad nobody cares about it.
Why we have bugzilla then?
Comment 6 Miroslav Lachman 2017-02-06 13:20:53 UTC 
(In reply to llua from comment #5)

Fine, DES made this commit, but it still doesn't explain who approved this POLA violation (breakage after upgrade) and why FreeBSD is still shipped with PrintLastLog in default config and documentation.

So this should be reverted of other parts must be fixed.
I am disappointed that this serious issue has no attention of the RE team or committers.
Comment 7 Steven Hartland freebsd_committer freebsd_triage 2017-02-06 13:53:34 UTC 
Based on the commit message for https://svnweb.freebsd.org/base?view=revision&revision=247893 is sounds like this this should never worked in 10 and was only there as the configure script incorrectly detected utmp / lastlog.

That said it appears that lastlog in sshd supports utmpx via getutxuser.

Digging some more it seems like this may well be a change in behaviour of the openssh DISABLE_LASTLOG from the upstream 7.2p1 change set:
e#diff-267d507f9cf4a70e051aaeecb89ad93bR509


This wasn't merged through until 7.2p2:
https://svnweb.freebsd.org/base?view=revision&revision=296633

Given this I think this was unintended and there should a new commit to remove --disable-lastlog which was added here:
https://svnweb.freebsd.org/base/head/crypto/openssh/FREEBSD-upgrade?r1=247892&r2=247891&pathrev=247892
Comment 8 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2017-02-06 15:17:03 UTC 
Miroslav: the problem is (or was, at the time) that the configure script looks for the actual log files rather than the APIs.  If you try to build OpenSSH on a machine that was upgraded from an older FreeBSD version and still has old log files lying around, the configure script will enable lastlog and the build will fail.  Conversely, it may incorrectly disable lastlog on a system that supports it if you try to configure and build in a pristine chroot or jail (like poudriere does), because the log files aren't created until someone logs in.

Steven: the bug is not that PrintLastLog doesn't work. It *can't* work, because FreeBSD doesn't have that API any more. The bug is that it is still documented.
Comment 9 Steven Hartland freebsd_committer freebsd_triage 2017-02-06 15:51:38 UTC 
From my cursory checking it looks like openssh can use utmpx to provide PrintLastLog, which FreeBSD does have, however setting DISABLE_LASTLOG disables all methods of supporting sPrintLastLog hence the issue?
Comment 10 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2017-02-06 15:57:46 UTC 
I'll have to double-check the code.  At the time, DISABLE_LASTLOG was required to make OpenSSH build.
Comment 11 Steven Hartland freebsd_committer freebsd_triage 2017-02-06 16:00:20 UTC 
Yes indeed it looks like this was addressed in openssh 7.2p1
Comment 12 Ed Maste freebsd_committer freebsd_triage 2019-11-20 15:02:28 UTC 
Is this resolved then?
Comment 13 Natalino Picone 2019-12-03 08:45:28 UTC 
Anybody have fixed this ?
Which is the correct way to enable back the PrintLastLog option ?
Comment 14 Miroslav Lachman 2019-12-03 09:33:09 UTC 
(In reply to Natalino Picone from comment #13)
I think it does not work and will not work. I don't use it anymore, I have commented it out on all machines.
Comment 15 Natalino Picone 2019-12-03 10:08:29 UTC 
(In reply to Miroslav Lachman from comment #14)
Thanks, I was looking for a way to custom build it with that option enabled as utmpx issues look fixed now.

Which alternatives do I have to print last failed login when connecting ?
Comment 16 Jonathan Vasquez 2020-09-22 11:53:57 UTC 
Just adding that this still occurs in FreeBSD 12.1-RELEASE-p10. Not a blocker for me in any way though.
Comment 17 Ed Maste freebsd_committer freebsd_triage 2022-05-18 17:34:17 UTC 
It looks like this originated in

commit a2438bbd28eb35a8968d193ac89b30a90e96f719
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Mar 15 10:23:07 2013 +1100

     - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
        is unable to successfully compile them. Based on patch from des AT
        des.no

which added

+AC_CHECK_MEMBER([struct lastlog.ll_line], [], [
+       AC_DEFINE([DISABLE_LASTLOG])       <-------
+       ], [
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UTMP_H
+#include <utmp.h>
+#endif
+#ifdef HAVE_UTMPX_H
+#include <utmpx.h>
+#endif
+#ifdef HAVE_LASTLOG_H
+#include <lastlog.h>
+#endif
+       ])


this defines DISABLE_LASTLOG if we don't have lastlog.ll_line, but this is used only in (the two implementations of) lastlog_get_entry; utmpx_get_entry is still functional.

Can you try building with this change?

diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
index 943f8c6e4b6e..4e0261b6a60a 100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -113,7 +113,7 @@
 /* #undef DISABLE_FD_PASSING */
 
 /* Define if you don't want to use lastlog */
-#define DISABLE_LASTLOG 1
+/* #undef DISABLE_LASTLOG */
 
 /* Define if you don't want to use your system's login() call */
 /* #undef DISABLE_LOGIN */
Comment 18 Ed Maste freebsd_committer freebsd_triage 2022-05-18 18:19:04 UTC 
This is a bug in OpenSSH upstream and I've sent mail to the openssh-unix-devel mailing list about it.

This patch is probably closer to the proper fix; please give it a try:

diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 6eaf9c2876ff..45587631cb8b 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -611,7 +611,7 @@ static struct {
        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
        { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
        { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
-#ifdef DISABLE_LASTLOG
+#if defined(DISABLE_LASTLOG) && defined(DISABLE_UTMPX)
        { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
 #else
        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
@@ -2915,7 +2915,7 @@ dump_config(ServerOptions *o)
        dump_cfg_fmtint(sKbdInteractiveAuthentication,
            o->kbd_interactive_authentication);
        dump_cfg_fmtint(sPrintMotd, o->print_motd);
-#ifndef DISABLE_LASTLOG
+#if !defined(DISABLE_LASTLOG) || !defined(DISABLE_UTMPX)
        dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
 #endif
        dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
Comment 19 Yuri Pankov freebsd_committer freebsd_triage 2023-04-19 18:19:54 UTC 
(In reply to Ed Maste from comment #18)
Just noticed this as well, and the patch takes care of the problem.
Comment 20 Ed Maste freebsd_committer freebsd_triage 2023-04-20 00:08:40 UTC 
(In reply to Yuri Pankov from comment #19)
Actually after a little more thought I believe the right fix is:

 /* Define if you don't want to use lastlog */
-#define DISABLE_LASTLOG 1
+/* #undef DISABLE_LASTLOG */

and should be addressed upstream by fixing configure
Comment 21 commit-hook freebsd_committer freebsd_triage 2023-04-20 01:38:33 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=43c6b7a60aff069da7e0ba6c87d3d7a532e812f6

commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-04-20 00:09:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-04-20 01:17:59 +0000

    openssh: restore PrintLastLog option

    Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not
    exist, but PrintLastLog also works with utmpx and other mechanisms.

    Reported upstream at
    https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

    PR:             209441
    Sponsored by:   The FreeBSD Foundation

 crypto/openssh/config.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 22 commit-hook freebsd_committer freebsd_triage 2023-04-20 22:09:15 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=170511589e4d15a27ee92979691cfc1b26929bb7

commit 170511589e4d15a27ee92979691cfc1b26929bb7
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-04-20 00:03:26 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-04-20 22:08:16 +0000

    openssh: Update configure for DISABLE_LASTLOG

    PR:             209441
    Sponsored by:   The FreeBSD Foundation

 crypto/openssh/configure.ac | 1 +
 1 file changed, 1 insertion(+)
Comment 23 commit-hook freebsd_committer freebsd_triage 2023-04-27 16:46:40 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=170520f882297617eaee7665a6813d03243e87a4

commit 170520f882297617eaee7665a6813d03243e87a4
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-04-20 00:09:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-04-27 16:45:37 +0000

    openssh: restore PrintLastLog option

    Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not
    exist, but PrintLastLog also works with utmpx and other mechanisms.

    Reported upstream at
    https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

    PR:             209441
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6)
    (cherry picked from commit 170511589e4d15a27ee92979691cfc1b26929bb7)

 crypto/openssh/config.h     | 2 +-
 crypto/openssh/configure.ac | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
Comment 24 commit-hook freebsd_committer freebsd_triage 2023-04-27 16:49:44 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=545163d9bc9c807cad78577bfe3346efb2d02482

commit 545163d9bc9c807cad78577bfe3346efb2d02482
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-04-20 00:09:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-04-27 16:48:33 +0000

    openssh: restore PrintLastLog option

    Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not
    exist, but PrintLastLog also works with utmpx and other mechanisms.

    Reported upstream at
    https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

    PR:             209441
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit 43c6b7a60aff069da7e0ba6c87d3d7a532e812f6)
    (cherry picked from commit 170511589e4d15a27ee92979691cfc1b26929bb7)
    (cherry picked from commit 170520f882297617eaee7665a6813d03243e87a4)

 crypto/openssh/config.h     | 2 +-
 crypto/openssh/configure.ac | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
Comment 25 commit-hook freebsd_committer freebsd_triage 2023-07-18 16:28:00 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=d5e2d0f140cef6d09c4ddeb594cee027642366a7

commit d5e2d0f140cef6d09c4ddeb594cee027642366a7
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-07-18 16:23:31 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-18 16:27:02 +0000

    openssh: document a locally-applied workaround

    We have a local hacky workaround for an issue caused by a hacky
    upstream autoconf test.  Reported upstream on the OpenSSH mailing list:
    https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

    PR:             209441
    Sponsored by:   The FreeBSD Foundation

 crypto/openssh/FREEBSD-upgrade | 8 ++++++++
 1 file changed, 8 insertions(+)