A fundamental component of authentication management is monitoring the system after you have configured your users.
Luckily, modern Linux systems log all authentication attempts in a discrete file. This is located at "/var/log/auth.log":
sudo less /var/log/auth.log
May 3 18:20:45 localhost sshd: Server listening on 0.0.0.0 port 22. May 3 18:20:45 localhost sshd: Server listening on :: port 22. May 3 18:23:56 localhost login: pam_unix(login:session): session opened fo r user root by LOGIN(uid=0) May 3 18:23:56 localhost login: ROOT LOGIN on '/dev/tty1' Sep 5 13:49:07 localhost sshd: Received signal 15; terminating. Sep 5 13:49:07 localhost sshd: Server listening on 0.0.0.0 port 22. Sep 5 13:49:07 localhost sshd: Server listening on :: port 22. . . .
Usually, you will only be interested in the most recent login attempts. You can see these with the "last" tool:
demoer pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 still logged in root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 - 19:37 (00:00) root pts/0 rrcs-72-43-115-1 Thu Sep 5 19:15 still logged in root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:35 - 18:44 (00:08) root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:20 - 18:20 (00:00) demoer pts/0 rrcs-72-43-115-1 Thu Sep 5 18:19 - 18:19 (00:00)
This gives a formated version of the "/etc/log/wtmp" file.
As you can see, in the first and third line, it shows that the user is still logged into the system. Otherwise, the total time logged into the system during a session is given by a set of hyphen-separated values.
If you would like to look at this situation from a different angle, you can view the last time each user on the system logged in.
This information is provided by accessing the "/etc/log/lastlog" file. It is then sorted according to the entries in the "/etc/passwd" file:
Username Port From Latest root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37:02 +0000 2013 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** games **Never logged in** . . .
You can see the latest login time of every user on the system.
Notice how the system users will almost all have "**Never logged in**". We saw earlier how these accounts do not have password authentication set up, so this is the expected value.
User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with very simple tools.
It is important to understand where the system keeps information about logins so that you can monitor your server for changes that do not reflect your usage.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.Sign up
Click below to sign up and get $100 of credit to try our products over 60 days!