linux – pts登录中`last`输出中缺少IP信息的原因?
我有五个CentOS 6
linux系统正在运行,遇到一个相当奇怪的问题,我的用户ID似乎只发生在我所有的
Linux系统上…这是我从上一个命令中排除的条目问题的一个例子. ..
mpenning pts/19 Fri Nov 16 10:32 - 10:35 (00:03) mpenning pts/17 Fri Nov 16 10:21 - 10:42 (00:21) bill pts/15 sol-bill.local Fri Nov 16 10:19 - 10:36 (00:16) mpenning pts/1 192.0.2.91 Fri Nov 16 10:17 - 10:49 (12+00:31) kkim14 pts/14 192.0.2.225 Thu Nov 15 18:02 - 15:17 (4+21:15) gduarte pts/10 192.0.2.135 Thu Nov 15 12:33 - 08:10 (11+19:36) gduarte pts/9 192.0.2.135 Thu Nov 15 12:31 - 08:10 (11+19:38) kkim14 pts/0 :0.0 Thu Nov 15 12:27 - 15:17 (5+02:49) gduarte pts/6 192.0.2.135 Thu Nov 15 11:44 - 08:10 (11+20:25) kkim14 pts/13 192.0.2.225 Thu Nov 15 09:56 - 15:17 (5+05:20) kkim14 pts/12 192.0.2.225 Thu Nov 15 08:28 - 15:17 (5+06:49) kkim14 pts/11 192.0.2.225 Thu Nov 15 08:26 - 15:17 (5+06:50) dspencer pts/8 192.0.2.130 Wed Nov 14 18:24 still logged in mpenning pts/18 alpha-console-1. Mon Nov 12 14:41 - 14:46 (00:04) 您可以看到上面的两个pts登录条目没有与之关联的源IP地址.我的CentOS机器有多达六个共享系统的其他用户.我的登录大约有10%看到此问题,但没有其他用户名表现出此行为.对于没有源IP地址的条目,/ var / log / secure中没有条目. 问题 鉴于我保留在这些系统上的脚本(它控制着我们的大部分网络基础设施),我对此感到有点害怕,并希望了解什么会导致我的登录偶尔错过源地址. >为什么最后-i显示0.0.0.0用于pts行条目(另见this answer) 信息化 自从这开始发生以来,我启用了bash历史时间戳(即.bash_profile中的HISTTIMEFORMAT =“%y-%m-%d%T”)并且还添加了few other bash history hacks;但是,这并没有提供前一次事件中发生的事情的线索. 所有系统都运行CentOS 6.3 …… [mpenning@typo ~]$uname -a Linux typo.local 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [mpenning@typo ~]$ 编辑 如果我使用last -i mpenning,我会看到这样的条目…… mpenning pts/19 0.0.0.0 Fri Nov 16 10:32 - 10:35 (00:03) mpenning pts/17 0.0.0.0 Fri Nov 16 10:21 - 10:42 (00:21) 请注意那些试图回答:我没有使用screen命令或GUI登录.我的所有登录都来自SSH;要获得赏金奖励,您必须引用权威参考资料来解释仅通过SSH获取的最后一个-i 0.0.0.0条目. 编辑2(关于ewwhite的问题) /etc/resolv.conf(请注意,我在上面的上一个输出中使用了.local addrs来隐藏我公司的信息) [mpenning@sasmars network]$cat /etc/resolv.conf nameserver 192.0.2.40 nameserver 192.0.2.60 domain mycompany.com search mycompany.com [mpenning@sasmars network]$ / etc / hosts info(请注意,此自定义主机文件仅存在于存在这些问题的其中一台计算机上) [mpenning@sasmars network]$cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.0.2.44 sasmars.mycompany.com sasmars ::1 localhost6.localdomain6 localhost6 ## Temporary kludge until I add reverse hostname mappings... ## Firewalls 192.0.2.254 a2-inet-fw1 192.0.2.253 a2-inet-fw2 192.0.2.254 a2-wan-fw1 192.0.2.253 a2-wan-fw2 192.0.2.201 a2-fab-fw1 192.0.2.202 a2-fab-fw2 192.0.2.203 t1-eds-fw1 192.0.2.42 sasvpn 192.0.2.246 sasasa1 192.0.2.10 sasoutfw1 ## Wireless 192.0.2.6 saswcs1 192.0.2.2 l2wlc3 192.0.2.4 l2wlc4 192.0.2.12 f2wlc5 192.0.2.16 f2wlc6 192.0.2.14 f2wlc1 192.0.2.8 f2wlc2 [mpenning@sasmars network]$ sftp来自/ var / log / secure *的输出 Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: called (pam_tacplus v1.3.7) Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: user [mpenning] obtained Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: called Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: obtained password Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: password obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: tty [ssh] obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: rhost [192.0.2.91] obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: trying srv 0 Dec 26 10:36:38 sasmars sshd[26016]: Accepted password for mpenning from 192.0.2.91 port 55118 ssh2 Dec 26 10:36:38 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7) Dec 26 10:36:38 sasmars sshd[26016]: pam_unix(sshd:session): session opened for user mpenning by (uid=0) Dec 26 10:36:38 sasmars sshd[26018]: pam_sm_setcred: called (pam_tacplus v1.3.7) Dec 26 10:36:38 sasmars sshd[26018]: subsystem request for sftp Dec 26 10:37:20 sasmars sshd[26016]: pam_unix(sshd:session): session closed for user mpenning Dec 26 10:37:20 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7) 最终解决方案 见my answer below 解决方法
RedHat和Debian之间的脚本行为差异
链接库 CentOS 6.3 – 脚本(util-linux-ng 2.17.2) #ldd /usr/bin/script linux-vdso.so.1 => (0x00007fff077ff000) libutil.so.1 => /lib64/libutil.so.1 (0x00007f309f5d1000) libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x00007f309f3cf000) libc.so.6 => /lib64/libc.so.6 (0x00007f309f03b000) /lib64/ld-linux-x86-64.so.2 (0x00007f309f7e1000) Ubuntu 12.04 – 脚本(util-linux 2.20.1) #ldd /usr/bin/script linux-vdso.so.1 => (0x00007fff375ff000) libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007fc0d7ab0000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc0d76f1000) /lib64/ld-linux-x86-64.so.2 (0x00007fc0d7cdc000) PTY 基于upstream source code,两个版本的脚本都会打开新的pty.以下是测试. Ubuntu 12.04 john@U64D211:~/tmp$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp$script Script started,file is typescript john@U64D211:~/tmp$ls /dev/pts 0 1 2 5 8 ptmx john@U64D211:~/tmp$last -i john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 09:52 (00:44) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp$exit exit Script done,file is typescript john@U64D211:~/tmp$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp$ Ubuntu 12.04脚本确实开了一个新的pts(2).它只是没有更新/ var / log / wtmp. CentOS 6 我正在跳过测试,因为我们已经知道脚本会打开pty并注册wtmp. libutemper >项目:http://freecode.com/projects/libutempter 所以主要区别似乎是额外的库(libutempter.so.0)与CentOS脚本相关联. 用Ubuntu 12.04测试 使用libutempter编译脚本 john@U64D211:~/tmp/util-linux-2.20.1$sudo apt-get install libutempter-dev john@U64D211:~/tmp/util-linux-2.20.1$./configure --with-utempter john@U64D211:~/tmp/util-linux-2.20.1$make john@U64D211:~/tmp/util-linux-2.20.1$cd term-utils/ john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ldd ./script linux-vdso.so.1 => (0x00007fff54dff000) libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f289e635000) libutempter.so.0 => /usr/lib/libutempter.so.0 (0x00007f289e432000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f289e072000) /lib64/ld-linux-x86-64.so.2 (0x00007f289e861000) 测试 在运行脚本之前 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:28) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 在脚本中 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$./script Script started,file is typescript john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 2 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/2 0.0.0.0 Sat Jan 5 10:37 still logged in john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:29) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$exit exit Script done,file is typescript 脚本结束后 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/2 0.0.0.0 Sat Jan 5 10:37 - 10:37 (00:00) john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:29) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last john pts/2 Sat Jan 5 10:37 - 10:37 (00:00) john pts/0 :0 Sat Jan 5 09:09 still logged in reboot system boot 3.2.0-35-generic Sat Jan 5 09:08 - 10:38 (01:30) john pts/0 :0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 3.2.0-35-generic Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 emtpy主机名的根本原因 是的,script.c确实创建了具有空主机名的wtmp条目.请参阅util-linux-2.20.1 / term-utils / script.c中的以下代码块.行:245-247 #ifdef HAVE_LIBUTEMPTER utempter_add_record(master,NULL); #endif 基于libutempter-1.1.5 / utempter.h extern int utempter_add_record (int master_fd,const char *hostname); 所以script.c实际上是将空主机名传递给utempter_add_record. RedHat Backport 有趣的是,上游util-linux-ng-2.17.2实际上不支持libutempter.似乎Redhat决定补充支持. john@U64D211:~/tmp/util-linux-ng-2.17.2$./configure --help|grep utemp 上面的命令返回空结果. 结论 因此,两个发行版之间的行为差??异不是错误,而是一个选择. RedHat决定支持该功能,而Debian则跳过它. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |