[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should pam_unix log non-interactive sessions? [cas@taz.net.au: Bug#612382: pam, non-interactive-sessions, and pam_unix spamming the auth log]

On 02/13/2011 11:50 PM, Patrick Matthäi wrote:
> Am 13.02.2011 23:45, schrieb Steve Langasek:
>> Hi folks,
>> I have a bug report objecting to pam_unix logging all PAM sessions,
>> interactive and non-interactive alike, to syslog.  Should pam_unix be
>> dropped from /etc/pam.d/common-session-noninteractive?

Did the user present a real use-case where this is an issue, or is this
more of an aesthetic issue to the user? All too often, I've been
confronted with the latter case.

>> It's only after pam-auth-update started being used and
>> common-session-noninteractive is split out that anyone mentioned
>> this might be a problem; before that I assumed that having pam_unix
>> log the session was the right thing to do.
>> Any other arguments for/against this logging?

In general, I would rather filter the output of syslog instead of
limiting its input. I understand that this is currently not possible
here, as there is no distinction between {non-,}interactive messages.

> *We* need those logging on our machines per default and I don't think,
> that we are the only one. Non-interactive sessions should still be
> logged.

Same here.

> Personaly I would wish, that I can see in auth.log, if it is
> {non-}interactive or not, but that is not the topic of this thread.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: