Home / ubuntu / Questions / 107602
Accepted
lumbric
Asked: 2012-02-26 02:48:12 +0800 CST

Command last does not show logins through sFTP, is there something similar or any logs?

  • 772

When I run last I get something like:

user    pts/0        user.domain.provider Sat Feb 25 11:44   still logged in 
user    pts/0        user.domain.provider Thu Feb 23 16:38 - 16:39  (00:00)
...

But if I connect to the server with sFTP, this won't show up in this list. Are there any other logs or a different command?

sftp

3 Answers

  1. Best Answer

    The default configuration of syslogd sends all log messages related to authentication to /var/log/auth.log, which will include openssh-server's log messages.

    • 4

  2. The last commands reads from /var/log/wtmp and its bad cousin /var/log/btmp, which according to man (man wtmp) are the login records.

    Not all processes use this facility, so there may be other users logged to the system.

    In the sftp case, I think that sshd does not consider scp or sftp as interactive sessions.

    This was also discussed at https://unix.stackexchange.com/questions/20070/user-logged-in-by-sftp-does-not-show-up-in-w .

    • 2

  3. Add pam_lastlog.so module at the beginning of session section in /etc/pam.d/sshd file as shown below.

    # vi /etc/pam.d/sshd 
<snip..>
session    required     pam_lastlog.so
session    required     pam_selinux.so close
session    required     pam_loginuid.so
<snip..>

    Ensure the option UsePAM is enabled in /etc/ssh/sshd_config. If not, make the changes and restart sshd service.

    # vi /etc/ssh/sshd_config 
<snip..>
#UsePAM no
UsePAM yes
<snip..>

# service sshd restart
    • 1