Add compact mode to last

[jelmd]

Fixes #53: hide logout time and set login time format default to 'compact' (YYYY-mm-dd HH:MM:SS).

[jelmd]

See jelmd@9f7ac3c

[andy-bower]

Just a couple of suggestions as an observer: if you want your proposal to be considered I would advise:

1. Rebase so you only present the commits that implement or enable this feature on the tip of the main branch.
2. Include some example output from this new mode so reviewers and observers can see at a glance what value they might get from the proposed change and conveniently compare against the alternative.

[jelmd]

@andy-bower yes, thanx. Github UI choose the wrong branch and I didn't noticed it, because there is no preview. That's why the hint to just cherry-pick jelmd@9f7ac3c

Example out:

> build/wtmpdb last -c
hans     tty7         :0               2025-12-03 17:37:44 .(05:29:46)
wurst    tty7         :0               2025-12-03 17:37:27 .(05:30:03)
hans     tty7         :0               2025-12-03 14:26:30  (03:10:56)
karl     ssh          123.45.67.89     2025-12-03 10:27:02  (00:06:11)
ranseier ssh          123.45.67.890    2025-12-03 10:23:33 .(12:43:57)
alexa    ssh          123.45.67.89     2025-12-03 08:49:25  (04:00:25)
hans     ssh          12.345.678.90    2025-12-03 07:06:32 .(16:00:58)
hans     ssh          12.345.678.90    2025-12-03 07:02:34  (00:01:41)
wurst    tty7         :0               2025-12-02 20:18:49 .(1+02:48:41)
hans     tty7         :0               2025-12-02 14:59:14  (05:20:04)
hans     ssh          12.345.678.90    2025-12-02 13:53:10  (00:58:09)
platz    ssh          123.45.678.90    2025-12-02 10:37:36  (00:58:26)
alexa    ssh          123.45.67.89     2025-12-02 10:27:10  (00:00:59)
alexa    ssh          123.45.67.89     2025-12-02 09:29:36  (00:00:46)
alexa    ssh          123.456.789.01   2025-12-02 08:39:10  (00:11:53)
alexa    ssh          123.456.789.01   2025-12-02 07:51:33  (00:55:11)
hans     ssh          12.345.678.90    2025-12-02 00:49:31  (14:01:43)
wurst    tty7         :0               2025-12-01 22:13:02 .(2+00:54:28)
hans     tty7         :0               2025-12-01 15:00:24  (07:12:37)
...
reboot   system boot  6.8.0-84-generic 2025-11-26 20:53:04 .(7+02:14:26)
andre    console      2025-11-26       2025-11-26 20:41:41 ?(00:11:22)
platz    ssh          12.345.67.8      2025-11-26 18:51:49  (00:05:05)
hans     tty7         :0               2025-11-26 18:45:05  (02:04:00)
hans     ssh          901.23.45.67     2025-11-26 18:44:45  (02:07:21)
andre    ssh          901.23.45.67     2025-11-26 18:44:18  (02:07:48)
wurst    tty7         :0               2025-11-26 18:42:48  (00:02:17)
andre    tty7         :0               2025-11-26 18:42:47 ?(02:10:17)
wurst    tty7         :0               2025-11-26 18:42:26 ?(02:10:37)
reboot   system boot  6.8.0-84-generic 2025-11-26 18:42:17  (02:06:49)
andre    ssh          890.12.34.5      2025-11-26 18:40:36 ?(00:01:40)
andre    ssh          678.90.12.345    2025-11-26 17:44:31 ?(00:57:45)
hans     tty7         :0               2025-11-26 13:51:44 ?(04:50:32)
hans     ssh          12.345.678.90    2025-11-26 12:51:04 ?(05:51:12)
alexa    ssh          123.45.67.89     2025-11-26 10:14:22  (03:47:25)
alexa    ssh          123.45.67.89     2025-11-26 10:12:39  (00:00:19)
ranseier ssh          123.45.67.890    2025-11-26 09:21:10 ?(09:21:06)
platz    ssh          678.90.12.34     2025-11-26 09:06:33  (07:36:46)
hans     ssh          12.345.678.90    2025-11-26 08:00:20 ?(10:41:56)
hans     ssh          12.345.678.90    2025-11-26 01:41:51  (11:47:04)

wtmpdb begins 2025-11-26 01:41:51


> build/wtmpdb last -co

hans     tty7         :0               2025-12-03 17:37:44 .(05:30:20)
wurst    tty7         :0               2025-12-03 17:37:27 .(05:30:37)
karl     ssh          123.45.67.890    2025-12-03 10:23:33 .(12:44:31)
hans     ssh          12.345.678.90    2025-12-03 07:06:32 .(16:01:32)
wurst    tty7         :0               2025-12-02 20:18:49 .(1+02:49:15)
wurst    tty7         :0               2025-12-01 22:13:02 .(2+00:55:02)
...
reboot   system boot  6.8.0-84-generic 2025-11-26 20:53:04 .(7+02:15:00)
ranse    console      2025-11-26       2025-11-26 20:41:41 ?(00:11:22)
ranse    tty7         :0               2025-11-26 18:42:47 ?(02:10:17)
wurst    tty7         :0               2025-11-26 18:42:26 ?(02:10:37)
ranse    ssh          123.45.67.8      2025-11-26 18:40:36 ?(00:01:40)
ranse    ssh          901.23.45.678    2025-11-26 17:44:31 ?(00:57:45)
hans     tty7         :0               2025-11-26 13:51:44 ?(04:50:32)
hans     ssh          12.345.678.90    2025-11-26 12:51:04 ?(05:51:12)
karl     ssh          123.45.67.890    2025-11-26 09:21:10 ?(09:21:06)
hans     ssh          12.345.678.90    2025-11-26 08:00:20 ?(10:41:56)
...
wtmpdb begins 2025-11-26 01:41:51


> build/wtmpdb last -cp now
hans     tty7         :0               2025-12-03 17:37:44 .(05:30:05)
wurst    tty7         :0               2025-12-03 17:37:27 .(05:30:22)
karl     ssh          123.45.67.890    2025-12-03 10:23:33 .(12:44:16)
hans     ssh          12.345.678.90    2025-12-03 07:06:32 .(16:01:17)
wurst    tty7         :0               2025-12-02 20:18:49 .(1+02:49:00)
wurst    tty7         :0               2025-12-01 22:13:02 .(2+00:54:47)
...
reboot   system boot  6.8.0-84-generic 2025-11-26 20:53:04 .(7+02:14:45)

wtmpdb begins 2025-09-16 03:04:00


> build/wtmpdb last -cu
hans     console      2025-11-26       2025-11-26 20:41:41 .(7+02:26:33)
wurst    tty7         :0               2025-12-03 17:37:44 .(05:30:30)
karl     tty7         :0               2025-12-03 17:37:27 .(05:30:47)
ranseier ssh          123.45.678.90    2025-12-02 10:37:36  (00:58:26)
alexande ssh          123.45.67.890    2025-12-03 10:23:33 .(12:44:41)
platz    ssh          123.45.67.89     2025-12-03 08:49:25  (04:00:25)
andreas  ssh          123.45.67.89     2025-12-03 10:27:02  (00:06:11)

wtmpdb begins 2025-11-26 20:41:41

[thkukuk]

foobar ssh 12.345.678.90 2025-11-30 16:10:30 .

Your ssh daemon does not report the TTY if you see "ssh" here, there are patches missing.

[jelmd]

foobar ssh 12.345.678.90 2025-11-30 16:10:30 .

Your ssh daemon does not report the TTY if you see "ssh" here, there are patches missing.

Depends. Actually, [since this would be a virtual device anyway,] it’s not really necessary. The PID would be more interesting if the session hasn’t ended yet. But as mentioned, for running sessions w and who already provide that information if needed.

And importantly, sshd still writes its entries to /var/log/wtmp, which can be inspected using the legacy last. So there are no duplicates in wtmpdb - it stays simple, consistent, and in line with the KISS principle. No need to patch sshd (or similar tools) ;-).

[andy-bower]

Hi @jelmd,

foobar ssh 12.345.678.90 2025-11-30 16:10:30 .

Your ssh daemon does not report the TTY if you see "ssh" here, there are patches missing.

Depends. Actually, [since this would be a virtual device anyway,] it’s not really necessary. The PID would be more interesting if the session hasn’t ended yet. But as mentioned, for running sessions w and who already provide that information if needed.

Where 'w' and 'who' get their records also "depends".

It's a bit of a mess really. If you want to know what is happening now you might be best off looking at the process table..

And importantly, sshd still writes its entries to /var/log/wtmp, which can be inspected using the legacy last.

sshd does, but what else does is at the whim of people.

So there are no duplicates in wtmpdb - it stays simple, consistent, and in line with the KISS principle. No need to patch sshd (or similar tools) ;-).

sshd doesn't need patching for this - libwtmpdb linkage is a build option.

However, I do wish that there were some pam capability that would let us deduplicate these entries somehow so you could add the richer data in a specific ssh daemon without having to universally block duplicate records from libpam-wtmpdb with skip_if=sshd. Currently this is an issue in Ubuntu because they have patched out libwtmpdb integration in openssh-server but kept the exclusion in wtmpdb so no ssh sessions are getting recorded.

[testus-x]

Hi @andy-bower,

oops, thought I had already answered this one.

Your ssh daemon does not report the TTY if you see "ssh" here, there are patches missing.

Depends. Actually, [since this would be a virtual device anyway,] it’s not really necessary. The PID would be more interesting if the session hasn’t ended yet. But as mentioned, for running sessions w and who already provide that information if needed.

Where 'w' and 'who' get their records also "depends".

On Ubuntu/Linux, w scans the /proc tree, it does not use /var/log/*tmp. who seems to use both sources.

It's a bit of a mess really. If you want to know what is happening now you might be best off looking at the process table..

Yes, but the point is that when someone uses last, they are not interested in details like the TTY or display. It’s just to get an overview. Only if more detail is needed, other tools come into play.

And importantly, sshd still writes its entries to /var/log/wtmp, which can be inspected using the legacy last.

sshd does, but what else does is at the whim of people.

Well, the ancient stuff probably does, newer tools shouldn’t. Therefore, IMHO it’s better to leave it alone and let them trash it as they like - if I have something more reliable like wtmpdb ;-).

So there are no duplicates in wtmpdb - it stays simple, consistent, and in line with the KISS principle. No need to patch sshd (or similar tools) ;-).

sshd doesn't need patching for this - libwtmpdb linkage is a build option.

Hmmm, IMHO all ancient tools need to be patched so they no longer use wtmp* at all. Instead, they should rely on PAM, and if they do, a PAM module like pam_wtmpdb is sufficient and authoritative for what one needs to know about session history. If the authenticating tool wants to log|provide more details, it can do so in its own logs and provide the proper commands to retrieve that information.

However, I do wish that there were some pam capability that would let us deduplicate these entries

Well, if tools behave properly, duplicates would never occur, because the related PAM module would be the only component writing to the database.

somehow so you could add the richer data in a specific ssh daemon without having to universally block duplicate records from libpam-wtmpdb with skip_if=sshd. Currently this is an issue in Ubuntu because they have patched out libwtmpdb integration in openssh-server but kept the exclusion in wtmpdb so no ssh sessions are getting recorded.

Yeah, that’s IMHO the right thing to do - excellent! All ancient stuff (written when PAM wasn’t available or even known, and therefore using such ugly kludges like *wtmp(3)) should be fixed to use PAM and stop scribbling into wtmp, which is IMHO pretty dirty and probably the root cause of various not-so-well-thought-out ideas like wtmpdbd.

Anyway, in my current version I cleaned up the print_entry() mess and updated the examples to give a better impression of the compact mode. They should also make the difference between -o and -p now clearer.

[andy-bower]

@jelmd my observation was a technical aside so addressing from that point of view:

Your ssh daemon does not report the TTY if you see "ssh" here, there are patches missing.

Depends. Actually, [since this would be a virtual device anyway,] it’s not really necessary. The PID would be more interesting if the session hasn’t ended yet. But as mentioned, for running sessions w and who already provide that information if needed.

Where 'w' and 'who' get their records also "depends".

On Ubuntu/Linux, w scans the /proc tree, it does not use /var/log/*tmp. who seems to use both sources.

OK! That's not my recollection from patching w in Debian's procps package recently but I haven't checked what the Ubuntu fork does.

somehow so you could add the richer data in a specific ssh daemon without having to universally block duplicate records from libpam-wtmpdb with skip_if=sshd. Currently this is an issue in Ubuntu because they have patched out libwtmpdb integration in openssh-server but kept the exclusion in wtmpdb so no ssh sessions are getting recorded.

This is now fixed in 0.75.0-5ubuntu1 by recording the low fidelity ssh records through libpam-wtmpdb. No duplicates, no gaps, but limited information.

Yeah, that’s IMHO the right thing to do - excellent! All ancient stuff (written when PAM wasn’t available or even known, and therefore using such ugly kludges like *wtmp(3)) should be fixed to use PAM and stop scribbling into wtmp, which is IMHO pretty dirty and probably the root cause of various not-so-well-thought-out ideas like wtmpdbd.

You seem rather certain about this. It seems to me that PAM is a framework, with its own benefits and limitations. openssh-server has its own reasons for doing things which may not map 100% onto that framework. I suspect PAM developers would acknowledge the limitations - most people are aware of limitations in their own software.