[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off

On Wed, Oct 06, 2010 at 08:05:23PM -0700, Russ Allbery <rra@debian.org> wrote:
> >> I think that's just because pam_unix doesn't log anything in this case.
> >> I've run into that before.
> 
> > I have no clue who logs, but the fact remains that I only get the message
> > when privsep is off.
> 
> Ah, I think I understand.  That error message is coming from ssh itself.

Makes sense - seems I forgot to mention the actual message, sorry:

   fatal: Access denied for user xyz by PAM account configuration

> I did double-check the pam_unix source code and indeed it just exits with
> a failure status but reports no error messages at all if the user isn't
> listed in /etc/shadow.  I think that's probably also a bug in pam.

Not a bug, but highly unhelpful, as sshd can't diagnose what went wrong
and can only give a generic failure message.

But then, that's what we have strace for....

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp@schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\
Reply to: