Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Marc Lehmann <schmorp@schmorp.de> writes:
> Russ Allbery <rra@debian.org> wrote:
>> Marc Lehmann <schmorp@schmorp.de> writes:
>>> What luck that I found out how to reproduce it a while later: remove the
>>> /etc/shadow entry for the user, and you get connection closed but no log
>>> messages whatsoever.
>> I think that's just because pam_unix doesn't log anything in this case.
>> I've run into that before.
> I have no clue who logs, but the fact remains that I only get the message
> when privsep is off.
Ah, I think I understand. That error message is coming from ssh itself.
So this isn't a problem with how PAM modules are called, but rather
apparently a problem with the logging code in sshd itself in the case of
privilege separation. You don't get the failure message generated
internally by sshd when the account stack fails.
I did double-check the pam_unix source code and indeed it just exits with
a failure status but reports no error messages at all if the user isn't
listed in /etc/shadow. I think that's probably also a bug in pam.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: