How to Customize or Disable SSH “Last Login” Message (PrintLastLog Configuration)


34 views

The Last login: [datetime] from [IP] message appears immediately after SSH authentication but before MOTD (Message of the Day) displays. Unlike MOTD content (controlled by /etc/update-motd.d/), this message originates from OpenSSH's internal logging system.

The behavior is controlled by two locations:

  1. sshd_config (server-side): 
    # /etc/ssh/sshd_config
PrintLastLog yes|no  # Controls whether to show last login info
  2. login.defs (system-wide): 
    # /etc/login.defs
LASTLOG_ENAB yes|no  # Affects lastlog database updates

Option 1: Disable Entirely

# /etc/ssh/sshd_config
PrintLastLog no
# Then restart SSH
sudo systemctl restart sshd

Option 2: Modify the Message Format

While you can't directly edit the message format in OpenSSH, you can:

  1. Disable PrintLastLog
  2. Create custom login greeting in ~/.bashrc:
# ~/.bashrc
if [ -n "$SSH_CONNECTION" ]; then
    echo "Previous session: $(last -n 1 $USER | head -n 1 | awk '{print $4,$5,$6,$7}')"
fi

For systems using PAM (most Linux distributions), edit /etc/pam.d/sshd:

# Comment out the lastlog line
# session    required     pam_lastlog.so
  • Security implications: Last login info helps detect unauthorized access
  • Changes require SSH service restart: sudo systemctl restart sshd
  • May affect compliance with security policies

After making changes, test with:

ssh localhost
# Or for remote testing:
ssh user@server -v 2>&1 | grep "Last login"

The SSH "Last login" message is generated by the OpenSSH server itself, not through MotD scripts. This behavior is controlled by the PrintLastLog parameter in sshd_config, which defaults to "yes".

# Primary configuration file
/etc/ssh/sshd_config

# Compiled binaries handling the message
/usr/sbin/sshd
/usr/lib/openssh/sftp-server

Option 1: Disable Entirely (Not Recommended)

# Edit /etc/ssh/sshd_config
PrintLastLog no

# Then restart SSH
sudo systemctl restart sshd

Option 2: PAM Module Customization (Advanced)

The login records come from /var/log/wtmp. To customize formatting:

# Install required PAM module
sudo apt-get install libpam-modules

# Modify PAM configuration
echo "session optional pam_lastlog.so showhost" | sudo tee -a /etc/pam.d/sshd

Option 3: Binary Patching (Not Recommended)

For extreme cases where complete control is needed, you'd need to:

  1. Download OpenSSH source
  2. Modify session.c (look for lastlog code)
  3. Recompile and replace binaries

Create a wrapper script in /etc/profile.d/:

#!/bin/bash
if [ -n "$SSH_CONNECTION" ]; then
    lastlog -u $(id -u) | awk -v user=$USER \
    'NR>1 {printf "Previous access: %s from %s (%s)\n", $1, $3, $4}'
fi
  • Last login information helps identify unauthorized access
  • Disabling completely removes this security feature
  • Consider logging to separate file if customizing heavily

After making changes:

# Check config syntax
sudo sshd -t

# Test login sequence
ssh -vvv localhost