Red Hat Bugzilla – Full Text Bug Listing
|Summary:||ssh login/logout no longer logged by pam_unix in /var/log/messages|
|Product:||[Fedora] Fedora||Reporter:||Daniel Levine <daniel.levine>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED NOTABUG||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-07-01 09:55:53 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Daniel Levine 2005-06-30 17:32:06 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 Description of problem: FC4 workstation relevant sshd_config options (installation file default): SyslogFacility AUTHPRIV UsePAM yes Log in and logout (successful and failed) information is not logged via syslog to /var/log/messages via pam_unix. In Fedora Core 2, configuration generates lines like: sshd(pam_unix) session opened for user root by (uid=0) sshd(pam_unix) session closed for user root Other pam services like su and gdm do log this information. Assume problem is with openssh. Version-Release number of selected component (if applicable): openssh-4.0-p1-3 and pam-0.79-8 How reproducible: Always Steps to Reproduce: 1. As root in one window: tail -f /var/log/messages 2. In another window: ssh to system and login (successfully or unsuccessfully doesn't matter) 3. Results should appear /var/log/messages as in FC2 but does not. Actual Results: No syslog output was generated in /var/log/messages. Expected Results: Something like this would have gone into /var/log/messages if root logged in successfully and then logged out. sshd(pam_unix) session opened for user root by (uid=0) sshd(pam_unix) session closed for user root Additional info: If this information is not logged, you cannot detect ssh hack attempts or monitor which users are logging in to system via ssh.
Comment 1 Tomas Mraz 2005-07-01 03:16:00 EDT
I cannot reproduce this problem here and I'm really curious how this could happen, is it a fresh FC4 install with pam and ssh configuration unchanged?
Comment 2 Daniel Levine 2005-07-01 09:55:53 EDT
Well, I went back to verify the minor changes I had made to the default configuration and now I see them being logged. I thought I was seeing this issue for several days and couldn't figure out the culprit. My apologies. Please close if I haven't when I submit this.