Bug 209441 - SSHd in FreeBSD 10.3 complains about PrintLastLog
Summary: SSHd in FreeBSD 10.3 complains about PrintLastLog
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.3-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: Dag-Erling Smørgrav
Depends on:
Reported: 2016-05-10 23:56 UTC by Miroslav Lachman
Modified: 2020-09-22 11:53 UTC (History)
11 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2016-05-10 23:56:19 UTC
I had "PrintLastLog yes" in my sshd_config for many years but after upgrade to 10.3 I got this error message:

/etc/ssh/sshd_config line 112: Unsupported option PrintLastLog

It is confusing because "#PrintLastLog yes" is still included in default sshd_config file and mentioned in manpage.

Is it error in default config or error in sshd? What should be fixed? 

I found in /usr/src/crypto/openssh/servconf.c

        { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },

Does it means that new sshd in FreeBSD 10.3 was (un)intentionally compiled with "DISABLE_LASTLOG" (--disable-lastlog)

We have own buildserver with svnup /usr/src and  buildworld & buildkernel  and installkernel & installworld 

# cat /etc/src.conf


# cat /etc/make.conf




DEFAULT_VERSIONS= perl=5.20 mysql=5.5m php=55 python=2.7 apache=2.4

## https://wiki.freebsd.org/Ports/Options/OptionsNG
## OptionsNG sets DOCS, EXAMPLES and NLS as default - we do not need them

## cd /usr/ports/www/apache22 && make print-closest-mirrors
MASTER_SITE_APACHE_HTTPD?= http://apache.miloslavbrada.cz/httpd/ http://mirror.hosting90.cz/apache/httpd/ ftp://mirror.hosting90.cz/apache/httpd/ http://www.eu.apache.org/dist/httpd/

## closest PHP mirror
MASTER_SITE_PHP= http://cz.php.net/%SUBDIR%/
Comment 1 elofu17 2016-11-04 14:29:25 UTC
I just upgraded a 10.1 machine to 10.3 and got exactly the same.

2016-11-04 15:28:02 +01:00 foobar sshd[3899]: rexec line 12: Unsupported option PrintLastLog

What gives?
Comment 2 Jason Mader 2016-11-04 16:06:19 UTC
PrintLastLog is also in FreeBSD 11.0-RELEASE sshd_config and man page
Comment 3 Andres Montalban 2017-01-06 20:32:29 UTC

The docs says it's a valid option but sshd complaints about it.
Comment 4 Miroslav Lachman 2017-01-06 21:48:13 UTC
It's a bad regression and I am sad nobody cares about it.
Why we have bugzilla then?
Comment 6 Miroslav Lachman 2017-02-06 13:20:53 UTC
(In reply to llua from comment #5)

Fine, DES made this commit, but it still doesn't explain who approved this POLA violation (breakage after upgrade) and why FreeBSD is still shipped with PrintLastLog in default config and documentation.

So this should be reverted of other parts must be fixed.
I am disappointed that this serious issue has no attention of the RE team or committers.
Comment 7 Steven Hartland freebsd_committer 2017-02-06 13:53:34 UTC
Based on the commit message for https://svnweb.freebsd.org/base?view=revision&revision=247893 is sounds like this this should never worked in 10 and was only there as the configure script incorrectly detected utmp / lastlog.

That said it appears that lastlog in sshd supports utmpx via getutxuser.

Digging some more it seems like this may well be a change in behaviour of the openssh DISABLE_LASTLOG from the upstream 7.2p1 change set:

This wasn't merged through until 7.2p2:

Given this I think this was unintended and there should a new commit to remove --disable-lastlog which was added here:
Comment 8 Dag-Erling Smørgrav freebsd_committer 2017-02-06 15:17:03 UTC
Miroslav: the problem is (or was, at the time) that the configure script looks for the actual log files rather than the APIs.  If you try to build OpenSSH on a machine that was upgraded from an older FreeBSD version and still has old log files lying around, the configure script will enable lastlog and the build will fail.  Conversely, it may incorrectly disable lastlog on a system that supports it if you try to configure and build in a pristine chroot or jail (like poudriere does), because the log files aren't created until someone logs in.

Steven: the bug is not that PrintLastLog doesn't work. It *can't* work, because FreeBSD doesn't have that API any more. The bug is that it is still documented.
Comment 9 Steven Hartland freebsd_committer 2017-02-06 15:51:38 UTC
From my cursory checking it looks like openssh can use utmpx to provide PrintLastLog, which FreeBSD does have, however setting DISABLE_LASTLOG disables all methods of supporting sPrintLastLog hence the issue?
Comment 10 Dag-Erling Smørgrav freebsd_committer 2017-02-06 15:57:46 UTC
I'll have to double-check the code.  At the time, DISABLE_LASTLOG was required to make OpenSSH build.
Comment 11 Steven Hartland freebsd_committer 2017-02-06 16:00:20 UTC
Yes indeed it looks like this was addressed in openssh 7.2p1
Comment 12 Ed Maste freebsd_committer 2019-11-20 15:02:28 UTC
Is this resolved then?
Comment 13 Natalino Picone 2019-12-03 08:45:28 UTC
Anybody have fixed this ?
Which is the correct way to enable back the PrintLastLog option ?
Comment 14 Miroslav Lachman 2019-12-03 09:33:09 UTC
(In reply to Natalino Picone from comment #13)
I think it does not work and will not work. I don't use it anymore, I have commented it out on all machines.
Comment 15 Natalino Picone 2019-12-03 10:08:29 UTC
(In reply to Miroslav Lachman from comment #14)
Thanks, I was looking for a way to custom build it with that option enabled as utmpx issues look fixed now.

Which alternatives do I have to print last failed login when connecting ?
Comment 16 Jonathan Vasquez 2020-09-22 11:53:57 UTC
Just adding that this still occurs in FreeBSD 12.1-RELEASE-p10. Not a blocker for me in any way though.