diff mbox series

[meta-selinux,V2] shadow: comment out pam_lastlog line in login pam file

Message ID 20240725090449.167826-1-yi.zhao@windriver.com
State New
Headers show
Series [meta-selinux,V2] shadow: comment out pam_lastlog line in login pam file | expand

Commit Message

Yi Zhao July 25, 2024, 9:04 a.m. UTC
The pam_lastlog module is deprecated and disabled by default in
linux-pam since 1.5.3[1]. Comment out this line to avoid loading
pam_lastlog module by default. Users can use lastlog2 provided by
util-linux as an alternative[2].

[1] https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816
[2] https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=c2e299d0acb2fa4ad1691452fa0eae76520bbdb0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-extended/shadow/files/pam.d/login | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/recipes-extended/shadow/files/pam.d/login b/recipes-extended/shadow/files/pam.d/login
index ec5bba9..e0ca0e7 100644
--- a/recipes-extended/shadow/files/pam.d/login
+++ b/recipes-extended/shadow/files/pam.d/login
@@ -66,7 +66,10 @@  session    required   pam_limits.so
 
 # Prints the last login info upon succesful login
 # (Replaces the `LASTLOG_ENAB' option from login.defs)
-session    optional   pam_lastlog.so
+# Use pam_lastlog2 provided by util-linux instead of
+# pam_lastlog, as the latter has been deprecated and
+# disabled by default since linux-pam 1.5.3.
+#session    optional   pam_lastlog2.so
 
 # Prints the motd upon succesful login
 # (Replaces the `MOTD_FILE' option in login.defs)