Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off

To: Marc Lehmann <schmorp@schmorp.de>
Cc: 599240@bugs.debian.org, Marc Lehmann <debian-reportbug@plan9.de>, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
From: Russ Allbery <rra@debian.org>
Date: Wed, 06 Oct 2010 19:44:35 -0700
Message-id: <87k4luyb58.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 599240@bugs.debian.org
In-reply-to: <20101007023546.GA32226@schmorp.de> (Marc Lehmann's message of "Thu, 7 Oct 2010 04:35:46 +0200")
References: <20101006022409.29917.44777.reportbug@cerebro.laendle> <87aamsvyat.fsf@windlord.stanford.edu> <20101007023546.GA32226@schmorp.de>

Marc Lehmann <schmorp@schmorp.de> writes:

> What luck that I found out how to reproduce it a while later: remove the
> /etc/shadow entry for the user, and you get connection closed but no log
> messages whatsoever.

I think that's just because pam_unix doesn't log anything in this case.
I've run into that before.

> strace shows that sshd tried to open /dev/log, but gets ENOENT, which
> makes sense in the context.

I'm pretty sure this is a red herring, since the account portion of the
pam_krb5 module (which is where this is checked in pam_unix) is able to
log to syslog even with PrivilegeSeparation turned on.

Oct  6 19:43:32 windlord sshd[19307]: pam_krb5(sshd:auth): user eagle authenticated as rra@stanford.edu
Oct  6 19:43:32 windlord sshd[19307]: pam_krb5(sshd:account): pam_sm_acct_mgmt: entry (0x0)
Oct  6 19:43:32 windlord sshd[19307]: pam_krb5(sshd:account): (user eagle) retrieving principal from cache
Oct  6 19:43:32 windlord sshd[19307]: pam_krb5(sshd:account): pam_sm_acct_mgmt: exit (success)
Oct  6 19:43:32 windlord sshd[19307]: Accepted password for eagle from 171.67.225.134 port 45240 ssh2
Oct  6 19:43:32 windlord sshd[19307]: pam_unix(sshd:session): session opened for user eagle by (uid=0)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <schmorp@schmorp.de>

References:
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <debian-reportbug@plan9.de>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Russ Allbery <rra@debian.org>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <schmorp@schmorp.de>

Prev by Date: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Next by Date: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Previous by thread: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Next by thread: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Index(es):
- Date
- Thread