last command shows entries for denied logins

Darren Tucker dtucker at
Tue Nov 8 23:01:28 EST 2005

On Sat, Nov 05, 2005 at 03:07:50PM +0530, Senthil Kumar wrote:
> Im using OpenSSH 4.2p1. Suppose I disable non-root logins to my system 
> through /etc/nologin file, SSH writes an entry for the non-root user in wtmp 
> file. This is because the writing in wtmp file happens in parent process 
> where checking of nologin file happens in the child one. I like to know 
> whether we should put an entry in wtmp file for such denied logins.

>From sshd's perspective, what's happening is that the session is permitted
but exits immediately after showing the user the contents of /etc/nologin.
The login recording happens when the pty is allocated.  Should it do that?
Probably not.

That behaviour could be changed by checking for /etc/nologin earlier.
The trick is you'd have to do it before the pty allocation.

Basically, you check nologin and if found, append the content to
loginmsg and setting a nologin flag.  That flag would need to deny the
pty request and cause the shell child to exit immediately after displaying
the loginmsg.

I did something along those lines at one point to make the BSM audit
code able to audit nologin events.  I might be able to dig that up.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list