diff --git a/doc/guix.texi b/doc/guix.texi index 21434f6c74..966a5458f8 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9352,6 +9352,10 @@ Because PAM challenge response authentication usually serves an equivalent role to password authentication, you should disable either @code{challenge-response-authentication?} or @code{password-authentication?}. + +@item @code{print-last-log?} (default: @code{#t}) +Specifies whether @command{sshd} should print the date and time of the +last user login when a user logs in interactively. @end table @end deftp diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index ef7d546d13..d8a3ad35ad 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -279,6 +279,8 @@ The other options should be self-descriptive." (challenge-response-authentication? openssh-challenge-response-authentication? (default #f)) ;Boolean (use-pam? openssh-configuration-use-pam? + (default #t)) ;Boolean + (print-last-log? openssh-configuration-print-last-log? (default #t))) ;Boolean (define %openssh-accounts @@ -298,6 +300,14 @@ The other options should be self-descriptive." (mkdir-p "/etc/ssh") (mkdir-p (dirname #$(openssh-configuration-pid-file config))) + (define (touch file-name) + (call-with-output-file file-name (const #t))) + + (let ((lastlog "/var/log/lastlog")) + (when #$(openssh-configuration-print-last-log? config) + (unless (file-exists? lastlog) + (touch lastlog)))) + ;; Generate missing host keys. (system* (string-append #$(openssh-configuration-openssh config) "/bin/ssh-keygen") "-A"))) @@ -336,6 +346,9 @@ The other options should be self-descriptive." (format port "UsePAM ~a\n" #$(if (openssh-configuration-use-pam? config) "yes" "no")) + (format port "PrintLastLog ~a\n" + #$(if (openssh-configuration-print-last-log? config) + "yes" "no")) #t)))) (define (openssh-shepherd-service config)