How to Display Full Usernames in Linux Last Logins (Fixing 8-Character Truncation)


31 views

When working with Linux system administration, you might encounter an issue where the last command truncates usernames to 8 characters. For example, a username like "administrator" appears as "administ" in the output. This limitation stems from historical Unix conventions where usernames were traditionally limited to 8 characters.

The last command reads from /var/log/wtmp, which stores login records in a binary format. The format of this file maintains the 8-character limitation for backward compatibility, even though modern Linux systems support much longer usernames.

Here are several approaches to get complete username information:

1. Using lastlog with Full Output


lastlog | grep -v "Never logged in"

This shows all users and their last login times, displaying full usernames.

2. Parsing /etc/passwd with Last Login Data


awk -F: '{print $1}' /etc/passwd | while read user; do
    last -n 1 "$user" | head -n 1
done | grep -v "wtmp begins"

3. Using the who Command with Custom Formatting


who -u /var/log/wtmp | awk '{print $1}'

For a more comprehensive solution, you can create a script that combines multiple data sources:


#!/bin/bash

# Get all users from /etc/passwd
getent passwd | cut -d: -f1 | while read user; do
    # Get last login info for each user
    last_login=$(last -n 1 "$user" 2>/dev/null | head -n 1)
    if [ -n "$last_login" ]; then
        echo "$user: $last_login"
    fi
done

If you have control over the system, you could modify how login records are stored:

  • Configure PAM to write to alternative log files
  • Implement custom logging that doesn't truncate usernames
  • Use syslog-ng or rsyslog to capture complete authentication data

For critical systems, consider implementing a custom authentication logging solution:


# Example using SQLite to store full login records
apt-get install sqlite3
sqlite3 /var/log/auth.db "CREATE TABLE logins (username TEXT, time DATETIME, tty TEXT, host TEXT);"

Then configure PAM to write to this database instead of the traditional wtmp file.

When checking login history in Linux, many administrators encounter an annoying limitation - the last command truncates usernames to 8 characters. This becomes particularly problematic when dealing with:

  • Active Directory integrated systems
  • Modern Linux distributions with long usernames
  • Enterprise environments with standardized naming conventions

The 8-character limitation stems from historical Unix compatibility where the utmp structure allocated only 8 bytes for usernames. While modern systems support longer usernames, many utilities still adhere to this legacy format.

Method 1: Using lastlog with Custom Formatting

lastlog | awk '{print $1}' | xargs -I {} getent passwd {} | cut -d: -f1,5

Method 2: Parsing auth.log or secure

For systems using journald:

journalctl -u systemd-logind -b | grep "New session"

For traditional syslog:

grep "session opened" /var/log/auth.log

Method 3: Custom Script Combining Multiple Sources

#!/bin/bash
{
    last -w | awk '{print $1}' | sort -u | while read user; do
        getent passwd "$user" | cut -d: -f1,5
    done
} | column -t -s:

For systems where you control the source:

  1. Download the util-linux source package
  2. Modify the UT_NAMESIZE definition in utmp.h
  3. Recompile the last command

In AD-integrated environments, consider these additional approaches:

  • Configure SSSD to log full names to a custom log file
  • Use PowerShell remoting for Windows-integrated systems
  • Implement centralized logging with syslog-ng or rsyslog

For systems with centralized authentication:

# MySQL query for FreeIPA systems
SELECT uid,displayname FROM user_private WHERE uid IN 
(SELECT DISTINCT user FROM lastlog);