Bug 204110

Summary: Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Product: Red Hat Enterprise Linux 4 Reporter: Neelesh Arora <narora>
Component: logwatchAssignee: Ivana Varekova <varekova>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: abulava
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-26 09:17:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neelesh Arora 2006-08-25 16:53:53 UTC
Description of problem:
If /var/log/secure has entries as follows:

=================
Aug 21 22:46:39 host1 sshd[16318]: Postponed publickey for root from
::ffff:a.b.c.d port 35647 ssh2
Aug 21 22:47:37 host1 sshd[16318]: Postponed password for userbob from
::ffff:a.b.c.d port 35657 ssh2
=================
then, logwatch reports them as:

=================
illegal users from these:
   root/publickey: 1 Time(s)
   userbob/password: 1 Time(s)
Postponed authentication:
   root/publickey:
      ::ffff:a.b.c.d: 1 Time(s)
   userbob/password:
      ::ffff:a.b.c.d: 1 Time(s)
=================

The "illegal users" lines above is a bug. Note also that these lines lack the
remote host from which it is reporting the illegal user. The "Postponed
authentication" lines above is what is expected.

This bug has been triggered by illegal postponed messages in /var/log/secure
(see bug #203671).

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1.EL4.1

How reproducible:
Always

Steps to Reproduce:
1. Install logwatch-5.2.2-1.EL4.1 and openssh version 3.9p1-8.RHEL4.15 on hostA
2. Login as root from a remote host to hostA, or manually add a "Postponed"
entry to /var/log/secure
3. Run logwatch report
  
Actual results:
Logwatch reports Illegal users, in addition to Postponed authentication

Expected results:
"Postponed" messages should be reported as such, not as illegal users.

Additional info:

Comment 1 Ivana Varekova 2007-10-26 08:34:31 UTC
This bug is easy to fix/test.

Comment 2 Ivana Varekova 2007-10-26 09:17:51 UTC

*** This bug has been marked as a duplicate of 227805 ***