Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off

To: Marc Lehmann <schmorp@schmorp.de>
Cc: 599240@bugs.debian.org
Subject: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
From: Russ Allbery <rra@debian.org>
Date: Wed, 06 Oct 2010 20:05:23 -0700
Message-id: <87fwwiya6k.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 599240@bugs.debian.org
In-reply-to: <20101007025040.GB32226@schmorp.de> (Marc Lehmann's message of "Thu, 7 Oct 2010 04:50:40 +0200")
References: <20101006022409.29917.44777.reportbug@cerebro.laendle> <87aamsvyat.fsf@windlord.stanford.edu> <20101007023546.GA32226@schmorp.de> <87k4luyb58.fsf@windlord.stanford.edu> <20101007025040.GB32226@schmorp.de>

Marc Lehmann <schmorp@schmorp.de> writes:
> Russ Allbery <rra@debian.org> wrote:
>> Marc Lehmann <schmorp@schmorp.de> writes:

>>> What luck that I found out how to reproduce it a while later: remove the
>>> /etc/shadow entry for the user, and you get connection closed but no log
>>> messages whatsoever.

>> I think that's just because pam_unix doesn't log anything in this case.
>> I've run into that before.

> I have no clue who logs, but the fact remains that I only get the message
> when privsep is off.

Ah, I think I understand.  That error message is coming from ssh itself.
So this isn't a problem with how PAM modules are called, but rather
apparently a problem with the logging code in sshd itself in the case of
privilege separation.  You don't get the failure message generated
internally by sshd when the account stack fails.

I did double-check the pam_unix source code and indeed it just exits with
a failure status but reports no error messages at all if the user isn't
listed in /etc/shadow.  I think that's probably also a bug in pam.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <schmorp@schmorp.de>

References:
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <debian-reportbug@plan9.de>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Russ Allbery <rra@debian.org>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <schmorp@schmorp.de>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Russ Allbery <rra@debian.org>
- Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
  - From: Marc Lehmann <schmorp@schmorp.de>

Prev by Date: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Next by Date: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Previous by thread: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Next by thread: Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
Index(es):
- Date
- Thread