Bug#599240: openssh-server: error message snot logged unless PrivilegeSeparation off
On Wed, Oct 06, 2010 at 08:05:23PM -0700, Russ Allbery <rra@debian.org> wrote:
> >> I think that's just because pam_unix doesn't log anything in this case.
> >> I've run into that before.
>
> > I have no clue who logs, but the fact remains that I only get the message
> > when privsep is off.
>
> Ah, I think I understand. That error message is coming from ssh itself.
Makes sense - seems I forgot to mention the actual message, sorry:
fatal: Access denied for user xyz by PAM account configuration
> I did double-check the pam_unix source code and indeed it just exits with
> a failure status but reports no error messages at all if the user isn't
> listed in /etc/shadow. I think that's probably also a bug in pam.
Not a bug, but highly unhelpful, as sshd can't diagnose what went wrong
and can only give a generic failure message.
But then, that's what we have strace for....
--
The choice of a Deliantra, the free code+content MORPG
-----==- _GNU_ http://www.deliantra.net
----==-- _ generation
---==---(_)__ __ ____ __ Marc Lehmann
--==---/ / _ \/ // /\ \/ / schmorp@schmorp.de
-=====/_/_//_/\_,_/ /_/\_\
Reply to: