linux – pts登录中`last`输出中缺少IP信息的原因？

我有五个CentOS 6 linux系统正在运行,遇到一个相当奇怪的问题,我的用户ID似乎只发生在我所有的 Linux系统上…这是我从上一个命令中排除的条目问题的一个例子. ..

mpenning pts/19                        Fri Nov 16 10:32 - 10:35  (00:03)
mpenning pts/17                        Fri Nov 16 10:21 - 10:42  (00:21)
bill     pts/15       sol-bill.local   Fri Nov 16 10:19 - 10:36  (00:16)
mpenning pts/1        192.0.2.91       Fri Nov 16 10:17 - 10:49 (12+00:31)
kkim14   pts/14       192.0.2.225      Thu Nov 15 18:02 - 15:17 (4+21:15)
gduarte  pts/10       192.0.2.135      Thu Nov 15 12:33 - 08:10 (11+19:36)
gduarte  pts/9        192.0.2.135      Thu Nov 15 12:31 - 08:10 (11+19:38)
kkim14   pts/0        :0.0             Thu Nov 15 12:27 - 15:17 (5+02:49)
gduarte  pts/6        192.0.2.135      Thu Nov 15 11:44 - 08:10 (11+20:25)
kkim14   pts/13       192.0.2.225      Thu Nov 15 09:56 - 15:17 (5+05:20)
kkim14   pts/12       192.0.2.225      Thu Nov 15 08:28 - 15:17 (5+06:49)
kkim14   pts/11       192.0.2.225      Thu Nov 15 08:26 - 15:17 (5+06:50)
dspencer pts/8        192.0.2.130      Wed Nov 14 18:24   still logged in
mpenning pts/18       alpha-console-1. Mon Nov 12 14:41 - 14:46  (00:04)

您可以看到上面的两个pts登录条目没有与之关联的源IP地址.我的CentOS机器有多达六个共享系统的其他用户.我的登录大约有10％看到此问题,但没有其他用户名表现出此行为.对于没有源IP地址的条目,/ var / log / secure中没有条目.

问题

鉴于我保留在这些系统上的脚本(它控制着我们的大部分网络基础设施),我对此感到有点害怕,并希望了解什么会导致我的登录偶尔错过源地址.

>为什么最后-i显示0.0.0.0用于pts行条目(另见this answer)
>是否有合理解释行为的东西(除了恶意活动)？
>除了bash历史时间戳,还有其他我可以做的事情来跟踪问题吗？

信息化

自从这开始发生以来,我启用了bash历史时间戳(即.bash_profile中的HISTTIMEFORMAT =“％y-％m-％d％T”)并且还添加了few other bash history hacks;但是,这并没有提供前一次事件中发生的事情的线索.

所有系统都运行CentOS 6.3 ……

[mpenning@typo ~]$uname -a
Linux typo.local 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[mpenning@typo ~]$

编辑

如果我使用last -i mpenning,我会看到这样的条目……

mpenning pts/19       0.0.0.0          Fri Nov 16 10:32 - 10:35  (00:03)
mpenning pts/17       0.0.0.0          Fri Nov 16 10:21 - 10:42  (00:21)

请注意那些试图回答：我没有使用screen命令或GUI登录.我的所有登录都来自SSH;要获得赏金奖励,您必须引用权威参考资料来解释仅通过SSH获取的最后一个-i 0.0.0.0条目.

编辑2(关于ewwhite的问题)

/etc/resolv.conf(请注意,我在上面的上一个输出中使用了.local addrs来隐藏我公司的信息)

[mpenning@sasmars network]$cat /etc/resolv.conf
nameserver 192.0.2.40
nameserver 192.0.2.60
domain mycompany.com
search mycompany.com
[mpenning@sasmars network]$

/ etc / hosts info(请注意,此自定义主机文件仅存在于存在这些问题的其中一台计算机上)

[mpenning@sasmars network]$cat /etc/hosts
127.0.0.1       localhost.localdomain localhost
192.0.2.44      sasmars.mycompany.com sasmars
::1             localhost6.localdomain6 localhost6

## Temporary kludge until I add reverse hostname mappings...
## Firewalls
192.0.2.254     a2-inet-fw1
192.0.2.253     a2-inet-fw2
192.0.2.254     a2-wan-fw1
192.0.2.253     a2-wan-fw2
192.0.2.201     a2-fab-fw1
192.0.2.202     a2-fab-fw2
192.0.2.203     t1-eds-fw1
192.0.2.42      sasvpn
192.0.2.246     sasasa1
192.0.2.10      sasoutfw1
## Wireless
192.0.2.6       saswcs1
192.0.2.2       l2wlc3
192.0.2.4       l2wlc4
192.0.2.12      f2wlc5
192.0.2.16      f2wlc6
192.0.2.14      f2wlc1
192.0.2.8       f2wlc2
[mpenning@sasmars network]$

sftp来自/ var / log / secure *的输出

Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: called (pam_tacplus v1.3.7)
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: user [mpenning] obtained
Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: called
Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: obtained password
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: password obtained
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: tty [ssh] obtained
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: rhost [192.0.2.91] obtained
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: trying srv 0
Dec 26 10:36:38 sasmars sshd[26016]: Accepted password for mpenning from 192.0.2.91 port 55118 ssh2
Dec 26 10:36:38 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7)
Dec 26 10:36:38 sasmars sshd[26016]: pam_unix(sshd:session): session opened for user mpenning by (uid=0)
Dec 26 10:36:38 sasmars sshd[26018]: pam_sm_setcred: called (pam_tacplus v1.3.7)
Dec 26 10:36:38 sasmars sshd[26018]: subsystem request for sftp
Dec 26 10:37:20 sasmars sshd[26016]: pam_unix(sshd:session): session closed for user mpenning
Dec 26 10:37:20 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7)

最终解决方案

见my answer below

解决方法

RedHat和Debian之间的脚本行为差异

链接库

CentOS 6.3 – 脚本(util-linux-ng 2.17.2)

#ldd /usr/bin/script

linux-vdso.so.1 =>  (0x00007fff077ff000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007f309f5d1000)
libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x00007f309f3cf000)
libc.so.6 => /lib64/libc.so.6 (0x00007f309f03b000)
/lib64/ld-linux-x86-64.so.2 (0x00007f309f7e1000)

Ubuntu 12.04 – 脚本(util-linux 2.20.1)

#ldd /usr/bin/script

linux-vdso.so.1 =>  (0x00007fff375ff000)
libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007fc0d7ab0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc0d76f1000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc0d7cdc000)

PTY

基于upstream source code,两个版本的脚本都会打开新的pty.以下是测试.

Ubuntu 12.04

john@U64D211:~/tmp$ls /dev/pts
0  1  5  8  ptmx
john@U64D211:~/tmp$script
Script started,file is typescript
john@U64D211:~/tmp$ls /dev/pts
0  1  2  5  8  ptmx
john@U64D211:~/tmp$last -i
john     pts/0        0.0.0.0          Sat Jan  5 09:09   still logged in   
reboot   system boot  0.0.0.0          Sat Jan  5 09:08 - 09:52  (00:44)    
john     pts/0        0.0.0.0          Thu Jan  3 00:50 - 01:42  (00:52)    
reboot   system boot  0.0.0.0          Thu Jan  3 00:48 - 01:43  (00:54)    

wtmp begins Tue Jan  1 20:48:28 2013
john@U64D211:~/tmp$exit
exit
Script done,file is typescript
john@U64D211:~/tmp$ls /dev/pts
0  1  5  8  ptmx
john@U64D211:~/tmp$

Ubuntu 12.04脚本确实开了一个新的pts(2).它只是没有更新/ var / log / wtmp.

CentOS 6

我正在跳过测试,因为我们已经知道脚本会打开pty并注册wtmp.

libutemper

>项目：http://freecode.com/projects/libutempter
>描述：libutempter为终端模拟器(如screen和xterm)提供了一个库接口,用于将用户会话记录到utmp和wtmp文件.

所以主要区别似乎是额外的库(libutempter.so.0)与CentOS脚本相关联.

用Ubuntu 12.04测试

使用libutempter编译脚本

john@U64D211:~/tmp/util-linux-2.20.1$sudo apt-get install libutempter-dev
john@U64D211:~/tmp/util-linux-2.20.1$./configure --with-utempter
john@U64D211:~/tmp/util-linux-2.20.1$make
john@U64D211:~/tmp/util-linux-2.20.1$cd term-utils/
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ldd ./script
linux-vdso.so.1 =>  (0x00007fff54dff000)
libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f289e635000)
libutempter.so.0 => /usr/lib/libutempter.so.0 (0x00007f289e432000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f289e072000)
/lib64/ld-linux-x86-64.so.2 (0x00007f289e861000)

测试

在运行脚本之前

john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts
0  1  5  8  ptmx
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i
john     pts/0        0.0.0.0          Sat Jan  5 09:09   still logged in   
reboot   system boot  0.0.0.0          Sat Jan  5 09:08 - 10:37  (01:28)    
john     pts/0        0.0.0.0          Thu Jan  3 00:50 - 01:42  (00:52)    
reboot   system boot  0.0.0.0          Thu Jan  3 00:48 - 01:43  (00:54)    

wtmp begins Tue Jan  1 20:48:28 2013

在脚本中

john@U64D211:~/tmp/util-linux-2.20.1/term-utils$./script
Script started,file is typescript
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts
0  1  2  5  8  ptmx
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i
john     pts/2        0.0.0.0          Sat Jan  5 10:37   still logged in   
john     pts/0        0.0.0.0          Sat Jan  5 09:09   still logged in   
reboot   system boot  0.0.0.0          Sat Jan  5 09:08 - 10:37  (01:29)    
john     pts/0        0.0.0.0          Thu Jan  3 00:50 - 01:42  (00:52)    
reboot   system boot  0.0.0.0          Thu Jan  3 00:48 - 01:43  (00:54)    

wtmp begins Tue Jan  1 20:48:28 2013
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$exit
exit
Script done,file is typescript

脚本结束后

john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts
0  1  5  8  ptmx
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i
john     pts/2        0.0.0.0          Sat Jan  5 10:37 - 10:37  (00:00)    
john     pts/0        0.0.0.0          Sat Jan  5 09:09   still logged in   
reboot   system boot  0.0.0.0          Sat Jan  5 09:08 - 10:37  (01:29)    
john     pts/0        0.0.0.0          Thu Jan  3 00:50 - 01:42  (00:52)    
reboot   system boot  0.0.0.0          Thu Jan  3 00:48 - 01:43  (00:54)    

wtmp begins Tue Jan  1 20:48:28 2013
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last
john     pts/2                         Sat Jan  5 10:37 - 10:37  (00:00)    
john     pts/0        :0               Sat Jan  5 09:09   still logged in   
reboot   system boot  3.2.0-35-generic Sat Jan  5 09:08 - 10:38  (01:30)    
john     pts/0        :0               Thu Jan  3 00:50 - 01:42  (00:52)    
reboot   system boot  3.2.0-35-generic Thu Jan  3 00:48 - 01:43  (00:54)    

wtmp begins Tue Jan  1 20:48:28 2013

emtpy主机名的根本原因

是的,script.c确实创建了具有空主机名的wtmp条目.请参阅util-linux-2.20.1 / term-utils / script.c中的以下代码块.行：245-247

#ifdef HAVE_LIBUTEMPTER
    utempter_add_record(master,NULL);
#endif

基于libutempter-1.1.5 / utempter.h

extern int utempter_add_record (int master_fd,const char *hostname);

所以script.c实际上是将空主机名传递给utempter_add_record.

RedHat Backport

有趣的是,上游util-linux-ng-2.17.2实际上不支持libutempter.似乎Redhat决定补充支持.

john@U64D211:~/tmp/util-linux-ng-2.17.2$./configure --help|grep utemp

上面的命令返回空结果.

结论

因此,两个发行版之间的行为差异不是错误,而是一个选择. RedHat决定支持该功能,而Debian则跳过它.

linux – pts登录中`last`输出中缺少IP信息的原因？

解决方法

相关推荐