Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 204110 - Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Summary: Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Status: CLOSED DUPLICATE of bug 227805
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch
Version: 4.0
Hardware: i686
OS: Linux
Target Milestone: ---
: ---
Assignee: Ivana Varekova
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-08-25 16:53 UTC by Neelesh Arora
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-10-26 09:17:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Neelesh Arora 2006-08-25 16:53:53 UTC
Description of problem:
If /var/log/secure has entries as follows:

Aug 21 22:46:39 host1 sshd[16318]: Postponed publickey for root from
::ffff:a.b.c.d port 35647 ssh2
Aug 21 22:47:37 host1 sshd[16318]: Postponed password for userbob from
::ffff:a.b.c.d port 35657 ssh2
then, logwatch reports them as:

illegal users from these:
   root/publickey: 1 Time(s)
   userbob/password: 1 Time(s)
Postponed authentication:
      ::ffff:a.b.c.d: 1 Time(s)
      ::ffff:a.b.c.d: 1 Time(s)

The "illegal users" lines above is a bug. Note also that these lines lack the
remote host from which it is reporting the illegal user. The "Postponed
authentication" lines above is what is expected.

This bug has been triggered by illegal postponed messages in /var/log/secure
(see bug #203671).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install logwatch-5.2.2-1.EL4.1 and openssh version 3.9p1-8.RHEL4.15 on hostA
2. Login as root from a remote host to hostA, or manually add a "Postponed"
entry to /var/log/secure
3. Run logwatch report
Actual results:
Logwatch reports Illegal users, in addition to Postponed authentication

Expected results:
"Postponed" messages should be reported as such, not as illegal users.

Additional info:

Comment 1 Ivana Varekova 2007-10-26 08:34:31 UTC
This bug is easy to fix/test.

Comment 2 Ivana Varekova 2007-10-26 09:17:51 UTC

*** This bug has been marked as a duplicate of 227805 ***

Note You need to log in before you can comment on or make changes to this bug.