Bug 209441 - SSHd in FreeBSD 10.3 complains about PrintLastLog
Summary: SSHd in FreeBSD 10.3 complains about PrintLastLog
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.3-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: Dag-Erling Smørgrav
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-10 23:56 UTC by Miroslav Lachman
Modified: 2017-02-06 16:00 UTC (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2016-05-10 23:56:19 UTC
I had "PrintLastLog yes" in my sshd_config for many years but after upgrade to 10.3 I got this error message:

/etc/ssh/sshd_config line 112: Unsupported option PrintLastLog

It is confusing because "#PrintLastLog yes" is still included in default sshd_config file and mentioned in manpage.

Is it error in default config or error in sshd? What should be fixed? 


I found in /usr/src/crypto/openssh/servconf.c

#ifdef DISABLE_LASTLOG
        { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
#else
        { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
#endif


Does it means that new sshd in FreeBSD 10.3 was (un)intentionally compiled with "DISABLE_LASTLOG" (--disable-lastlog)


We have own buildserver with svnup /usr/src and  buildworld & buildkernel  and installkernel & installworld 

# cat /etc/src.conf

WITHOUT_KERNEL_SYMBOLS=yes



# cat /etc/make.conf

WITH_PKGNG= yes

SVN_UPDATE=yes
SVN="/usr/local/bin/svnup"
SVNFLAGS=""


WITH_GHOSTSCRIPT_VER=9

DEFAULT_VERSIONS= perl=5.20 mysql=5.5m php=55 python=2.7 apache=2.4

## https://wiki.freebsd.org/Ports/Options/OptionsNG
## OptionsNG sets DOCS, EXAMPLES and NLS as default - we do not need them
OPTIONS_UNSET= X11 GUI CUPS DOCS EXAMPLES NLS


## cd /usr/ports/www/apache22 && make print-closest-mirrors
MASTER_SITE_APACHE_HTTPD?= http://apache.miloslavbrada.cz/httpd/ http://mirror.hosting90.cz/apache/httpd/ ftp://mirror.hosting90.cz/apache/httpd/ http://www.eu.apache.org/dist/httpd/

## closest PHP mirror
MASTER_SITE_PHP= http://cz.php.net/%SUBDIR%/
Comment 1 elofu17 2016-11-04 14:29:25 UTC
I just upgraded a 10.1 machine to 10.3 and got exactly the same.

2016-11-04 15:28:02 +01:00 foobar sshd[3899]: rexec line 12: Unsupported option PrintLastLog

What gives?
Comment 2 Jason Mader 2016-11-04 16:06:19 UTC
PrintLastLog is also in FreeBSD 11.0-RELEASE sshd_config and man page
Comment 3 Andres Montalban 2017-01-06 20:32:29 UTC
+1

The docs says it's a valid option but sshd complaints about it.
Comment 4 Miroslav Lachman 2017-01-06 21:48:13 UTC
It's a bad regression and I am sad nobody cares about it.
Why we have bugzilla then?
Comment 6 Miroslav Lachman 2017-02-06 13:20:53 UTC
(In reply to llua from comment #5)

Fine, DES made this commit, but it still doesn't explain who approved this POLA violation (breakage after upgrade) and why FreeBSD is still shipped with PrintLastLog in default config and documentation.

So this should be reverted of other parts must be fixed.
I am disappointed that this serious issue has no attention of the RE team or committers.
Comment 7 Steven Hartland freebsd_committer 2017-02-06 13:53:34 UTC
Based on the commit message for https://svnweb.freebsd.org/base?view=revision&revision=247893 is sounds like this this should never worked in 10 and was only there as the configure script incorrectly detected utmp / lastlog.

That said it appears that lastlog in sshd supports utmpx via getutxuser.

Digging some more it seems like this may well be a change in behaviour of the openssh DISABLE_LASTLOG from the upstream 7.2p1 change set:
e#diff-267d507f9cf4a70e051aaeecb89ad93bR509


This wasn't merged through until 7.2p2:
https://svnweb.freebsd.org/base?view=revision&revision=296633

Given this I think this was unintended and there should a new commit to remove --disable-lastlog which was added here:
https://svnweb.freebsd.org/base/head/crypto/openssh/FREEBSD-upgrade?r1=247892&r2=247891&pathrev=247892
Comment 8 Dag-Erling Smørgrav freebsd_committer 2017-02-06 15:17:03 UTC
Miroslav: the problem is (or was, at the time) that the configure script looks for the actual log files rather than the APIs.  If you try to build OpenSSH on a machine that was upgraded from an older FreeBSD version and still has old log files lying around, the configure script will enable lastlog and the build will fail.  Conversely, it may incorrectly disable lastlog on a system that supports it if you try to configure and build in a pristine chroot or jail (like poudriere does), because the log files aren't created until someone logs in.

Steven: the bug is not that PrintLastLog doesn't work. It *can't* work, because FreeBSD doesn't have that API any more. The bug is that it is still documented.
Comment 9 Steven Hartland freebsd_committer 2017-02-06 15:51:38 UTC
From my cursory checking it looks like openssh can use utmpx to provide PrintLastLog, which FreeBSD does have, however setting DISABLE_LASTLOG disables all methods of supporting sPrintLastLog hence the issue?
Comment 10 Dag-Erling Smørgrav freebsd_committer 2017-02-06 15:57:46 UTC
I'll have to double-check the code.  At the time, DISABLE_LASTLOG was required to make OpenSSH build.
Comment 11 Steven Hartland freebsd_committer 2017-02-06 16:00:20 UTC
Yes indeed it looks like this was addressed in openssh 7.2p1