Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162218 - ssh login/logout no longer logged by pam_unix in /var/log/messages
Summary: ssh login/logout no longer logged by pam_unix in /var/log/messages
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-30 21:32 UTC by Daniel Levine
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-01 13:55:53 UTC


Attachments (Terms of Use)

Description Daniel Levine 2005-06-30 21:32:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803

Description of problem:
FC4 workstation relevant sshd_config options (installation file default):
SyslogFacility AUTHPRIV
UsePAM yes

Log in and logout (successful and failed) information is not logged via syslog to /var/log/messages via pam_unix.

In Fedora Core 2, configuration generates lines like:

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Other pam services like su and gdm do log this information.  Assume problem is with openssh.

Version-Release number of selected component (if applicable):
openssh-4.0-p1-3 and pam-0.79-8

How reproducible:
Always

Steps to Reproduce:
1. As root in one window: tail -f /var/log/messages
2. In another window: ssh to system and login (successfully or unsuccessfully doesn't matter)
3. Results should appear /var/log/messages as in FC2 but does not.
  

Actual Results:  No syslog output was generated in /var/log/messages.

Expected Results:  Something like this would have gone into /var/log/messages if root logged in successfully and then logged out.

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Additional info:

If this information is not logged, you cannot detect ssh hack attempts or monitor which users are logging in to system via ssh.

Comment 1 Tomas Mraz 2005-07-01 07:16:00 UTC
I cannot reproduce this problem here and I'm really curious how this could
happen, is it a fresh FC4 install with pam and ssh configuration unchanged?


Comment 2 Daniel Levine 2005-07-01 13:55:53 UTC
Well,

I went back to verify the minor changes I had made to the default configuration 
and now I see them being logged.

I thought I was seeing this issue for several days and couldn't figure out the 
culprit.

My apologies.  Please close if I haven't when I submit this.



Note You need to log in before you can comment on or make changes to this bug.