martin f krafft <madduck@debian.org> writes:
> Please consider to log the IP instead of the reverse DNS entry in
> the following log message:
> sshd[22199]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.onemessageministries.org user=root
> I know that SSH checks forward and reverse DNS and emits a warning
> if they don't match (and it could be that it would log the IP if
> there was a problem), but there is really no reason to log reverse
> DNS rather than the IP, is there?
The PAM documentation specifically calls for the hostname:
PAM_RHOST
The requesting hostname (the hostname of the machine from which the
PAM_RUSER entity is requesting service). That is PAM_RUSER@PAM_RHOST
does identify the requesting user. In some applications, PAM_RHOST may
be NULL. In such situations, it is unclear where the authentication
request is originating from.
I wonder if the most general approach would be to add a new PAM item to
Linux PAM that takes the requesting IP address so that both can be logged
separately. Of course, that means years before this bug would be fixed,
given how long that sort of change would take to propagate through
everything.
There are some (relatively minor, but real) reasons to log the hostname
*as well as* the IP address, mostly related to analysis of historical logs
after a time span where IP space may have been reassigned to another
provider. I agree that it's generally a bad idea to log *only* the
hostname without the IP.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>