4.2 and the 'last' command

Jason.C.Burns at wellsfargo.com Jason.C.Burns at wellsfargo.com
Thu Nov 17 11:06:27 EST 2005

We've run into an interesting dilemma regarding last log information and
ssh 4.2p1.  In 3.8, we didn't see this problem, but now has cropped up
in 4.2.
When a user logs in, sshd seems to call 'last' to get the last log
information.  'last' then opens the /var/log/wtmp file and processes the
information.  On some systems, this file can be quite large, and we're
seeing login times of upwards around a minute while 'last' pegs the
system resources.
My question:  I can't find in the source where 'last' is explicitly
called, so is there an API call that was added between these versions
that would refer the system to 'last'?  I've noticed a function
'login_get_lastlog' that seems to get the information with it's own
algo, but I didn't see an option in the config to turn that on.  I only
found the option to turn last log information completely off, and
unfortunately that's not an option.
Anybody have any other ideas on where to go to find where 'last' is
being called, or any other ideas on how to optimize it?  Thanks!

More information about the openssh-unix-dev mailing list