Macos – ssh, “Last Login”, `last` and OS X

I have hit the googles as much as I can on this, being specific to OS X, I am not finding an answer. Nothing is wrong, but curiosity levels are high.

$ssh foobar@lan-connection.local
Password:
Last login: Wed Apr  7 21:28:03 2010 from my-laptop.local
^lonely tylenol^

Line 1 is my command
line 2 is the shell asking for the password
line 3 is where my question comes from
line 4 comes out of /etc/motd

I can find nothing in ~/ of an of the .bash* files that contains the string "Last Login", and would like to alter it. It performs some type of hostname lookup, which I can not determine.

If I ssh to another host:

$ssh remote-host@remote.location456.example.com
Last login: Wed Apr  7 21:14:51 2010 from 123-234-321-123-some.cal.isp.net.example
hi there, you are on box 456

line 1 is my command
line 2 is again, where my question comes from
line 3 is from /etc/motd

*The dash'd IP address is not reversed

On this remote host, I have ~/.ssh and it's corresponding keys set up, so there was no password request

Where is the "Last Login:" coming from, where does the date stamp come from, and most importantly, where does the hostname come from?

While on remote-host@remote.location.example.com (box 456)
$echo hostname
remote.location.example456.com

Or with dig, to make sure I have rDNS/PTR set up, for which I am not authoritative, but my ISP has correctly set…

$dig -x 123.234.321.123  PTR   remote.location.example456.com

$dig PTR 123.321.234.123.in-addr.arpa. +short
remote.location.example456.com.

my previous hostname used to be 123-234-321-123-some.cal.isp.net.example, which I set with hostname -s remote.location.example456.com, because it was obnoxious to see such a long name. That solves the value of $echo hostname which now returns remote.location.example456.com.

Mac OS X, 10.6 is this case, does seem to honor:

touch ~/.hushlogin

If leave that file empty, I get nothing on the shell when I login. I want to know what controls the host resolution of the IP, and how it is all working. For example, running last reports a huge list of my logins, which have obtusely long hostnames, when they would be preferable to just be remote.location.example456.com.

More confusing to me, reading the man page for wtmp and lastlog, it looks like lastlog is not used on OS X, /var/log/lastlog does not exist. Actually, none of these exist on 10.5 or 10.6:

 /var/run/utmp     The utmp file.
 /var/log/wtmp     The wtmp file.
 /var/log/lastlog  The lastlog file.

If I am to assume that the system is doing some kind of reverse lookup, I certainly do not know what it is, as it is not an accurate one.

Best Answer

The man pages on my 10.6 machine point me in the direction of asl(3), utmpx(5), and endutxent(3). It seems modern Mac OS X records utmp/wtmp/lastlog-like information in the Apple SysLog (asl) database files at /var/log/asl/*.

It seems the long hostnames that bother you were recorded in that database back when that was what those hosts were named, and you can't get rid of them short of pruning or editing your asl database.

Best Answer

Related Solutions

Linux – Is setting a mail user’s shell to /usr/bin/passwd in the /etc/passwd file a safe way to allow them to change their own password by simply ssh’ing

Linux – SSH session hangs when trying to open a shell

Related Question