Bug 162218

Summary: ssh login/logout no longer logged by pam_unix in /var/log/messages
Product: [Fedora] Fedora Reporter: Daniel Levine <daniel.levine>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-01 13:55:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Levine 2005-06-30 21:32:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803

Description of problem:
FC4 workstation relevant sshd_config options (installation file default):
SyslogFacility AUTHPRIV
UsePAM yes

Log in and logout (successful and failed) information is not logged via syslog to /var/log/messages via pam_unix.

In Fedora Core 2, configuration generates lines like:

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Other pam services like su and gdm do log this information.  Assume problem is with openssh.

Version-Release number of selected component (if applicable):
openssh-4.0-p1-3 and pam-0.79-8

How reproducible:
Always

Steps to Reproduce:
1. As root in one window: tail -f /var/log/messages
2. In another window: ssh to system and login (successfully or unsuccessfully doesn't matter)
3. Results should appear /var/log/messages as in FC2 but does not.
  

Actual Results:  No syslog output was generated in /var/log/messages.

Expected Results:  Something like this would have gone into /var/log/messages if root logged in successfully and then logged out.

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Additional info:

If this information is not logged, you cannot detect ssh hack attempts or monitor which users are logging in to system via ssh.
Comment 1 Tomas Mraz 2005-07-01 07:16:00 UTC 
I cannot reproduce this problem here and I'm really curious how this could
happen, is it a fresh FC4 install with pam and ssh configuration unchanged?
Comment 2 Daniel Levine 2005-07-01 13:55:53 UTC 
Well,

I went back to verify the minor changes I had made to the default configuration 
and now I see them being logged.

I thought I was seeing this issue for several days and couldn't figure out the 
culprit.

My apologies.  Please close if I haven't when I submit this.