How can I remove the ssh last login info?

Question

Whenever I log into a server using ssh. The prompt gives me "last login" information. I was wondering where this information comes from. How can I remove this record so when someone else log into the same server, the person would see my login info with my ip in it?

So how can I do this? For the record, I am not hacking someone's computer and the server runs Ubuntu 12.04.

EDIT: which file logs this kind of information? If I find the file, then I can do anything to it as root.

Thanks.

score 66 · Answer 1 · edited Mar 14 '22 at 14:23

66

In Debian and Ubuntu, it is found in /etc/ssh/sshd_config.

Find the line that says:

#PrintLastLog yes

And change it to:

PrintLastLog no

(Or add it if not existing.)

Don't forget to restart your ssh daemon:

service ssh restart

edited Mar 14 '22 at 14:23

Roj

103

answered Jul 02 '12 at 13:20

Cameron Aziz

1,020

score 8 · Accepted Answer · answered Jul 02 '12 at 14:00

In addition to /var/log/lastlog, there are 3 files in /var/run and /var/log: utmp, wtmp and btmp, which hold info about current logins (and additional info), historical and failed logins. See http://en.wikipedia.org/wiki/Utmp for detailed description. You can't edit the files with normal editors, but could erase them.

score 4 · Answer 3 · answered Aug 22 '12 at 21:34

utmp is normally in /var/run, not /var/log. wtmp and btmp are in /var/log.

ssh is not the only program that writes to these three files. If you delete them, as someone suggested, you will break a lot of programs. They are expected to be there. Change the /etc/ssh/sshd_config file, as Cameron Aziz suggested.

You are not the only process in the shell. You are not using a single-tasking operating system. Getting used to working on a true network operating system was one of the hardest mental shifts I have ever made, right up there with using a mainframe and learning calculus. In practical terms, this means that you should never remove a file unless you know exactly what it does in the system.

In order to get a flavor for just how widely some files are used, take a look at lsof and play around with it. Even lsof only tells you what processes are CURRENTLY using your file, it doesn't give you historical data, so be careful.

score 3 · Answer 4 · answered Jul 02 '12 at 13:53

3

The PrintLastLog configuration keyword pulls information from the /var/log/lastlog file

You can use the command lastlog, to view this information at the command line.

answered Jul 02 '12 at 13:53

Don Simon

524
3
9

Rahul Sreeram · Answer 5 · 2022-04-07T09:36:06.687

2

if "last login" is the only information printed, then you can also try hushlogin. This will suppress all information during login and is controllable per user.

touch $HOME/.hushlogin

You can refer login manpage for more information.

edited Apr 07 '22 at 09:36

answered Apr 05 '22 at 11:00

Rahul Sreeram

121
5

score 1 · Answer 6 · answered Oct 20 '15 at 08:53

Here's an alternative which works for GNU and BSD (Mac OS X). It also accounts for the fact most settings are commented out by default - they are in El Capitan anyway):

sudo sed -i.bak "s/^#?PrintLastLog yes$/^PrintLastLog no$/" /etc/ssh/sshd_config

Without the -i.bak change I kept getting:

sed: 1: "/etc/ssh/sshd_config": bad flag in substitute command: 'h'

score 0 · Answer 7 · answered Oct 14 '14 at 07:41

0

Here Is The Command To Do This Automatically:

sudo sed -i "s/PrintLastLog .*/PrintLastLog no/1" /etc/ssh/sshd_config

answered Oct 14 '14 at 07:41

Andy

101

How can I remove the ssh last login info?

7 Answers7