[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off



Marc Lehmann <schmorp@schmorp.de> writes:
> Russ Allbery <rra@debian.org> wrote:
>> Marc Lehmann <schmorp@schmorp.de> writes:

>>> What luck that I found out how to reproduce it a while later: remove the
>>> /etc/shadow entry for the user, and you get connection closed but no log
>>> messages whatsoever.

>> I think that's just because pam_unix doesn't log anything in this case.
>> I've run into that before.

> I have no clue who logs, but the fact remains that I only get the message
> when privsep is off.

Ah, I think I understand.  That error message is coming from ssh itself.
So this isn't a problem with how PAM modules are called, but rather
apparently a problem with the logging code in sshd itself in the case of
privilege separation.  You don't get the failure message generated
internally by sshd when the account stack fails.

I did double-check the pam_unix source code and indeed it just exits with
a failure status but reports no error messages at all if the user isn't
listed in /etc/shadow.  I think that's probably also a bug in pam.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Reply to: