Red Hat Bugzilla – Bug 102221
openssh erroneously reports authentication failures
Last modified: 2014-01-21 17:48:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703
Description of problem:
When a user successfully logs in via sshd using password authentication, sshd
reports an authentication failure in syslog.
hostname% tail -2 /var/log/messages
Aug 12 12:21:05 hostname sshd(pam_unix): authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=fission.creek.foo user=username
Aug 12 12:21:14 hostname sshd(pam_unix): session opened for user username
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ssh to a system running the opensshd patched for errata RHSA-2003-222
2. login successfully
3. on the target system, tail /var/log/messages
4. note that sshd/pam reported to syslog 'authentication failure'
Actual Results: /var/log/messages contains an authentication failure log entry
despite the fact that the sshd authentication was successful.
Expected Results: /var/log/messages should only contain a success entry from
sshd of the form 'sshd(pam_unix): session opened for user username by
This bug is reproduceable on any version of Red Hat Linux which was patched for
this errata, including openssh for RedHat 7.1, Red Hat 7.2, Red Hat 7.3, Red Hat
8.0, Red Hat 9.0
This bug is not a duplicate of 101662 or 101157.
Those bugs are similar but took issue with login time which is arguably not a 'bug'.
This bug addresses the authentication failure log entry emmanating form sshd/pam
which is clearly not valid when sshd password authentication was successful.
This problem, and the resulting alerts triggered by programs like logwatch which
scan for authentication failures, is causing many customers to revert to
previous versions of the openssh product.
Anyone found a fix for that? Why is so silence around this important issue?
My logwatcher is flooding me with false errors since that it became useless
regarding ssh authentication errors.
I too am very interested to see this problem fixed. I am wondering if it is
actually an issue with PAM though. I've included several key files for PAM in
the hope that maybe I just have something misconfigured. I am running Redhat 8.0
using openssh-3.4p1-4. I did not have this problem when I was running
openssh-3.4p1-2. I am also trying to figure out why successful logins are not
recorderd even though my /etc/syslog.conf file logs auth.info and authpriv.info.
Thanks in advance for any information on this. -Jenny =)
Here is my /etc/pam.d/sshd file:
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
Here is my /etc/pam.d/system-auth file:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow nis
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
This bug is fixed in 3.5p1-11 on RH9 and 3.1p1-14 on RH7.2
I don't think so:
# cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
# rpm -q openssh
# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[start ssh session to system, password login, no error]
==> /var/log/linksys.log <==
Oct 21 13:42:03 systemname sshd(pam_unix): authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=buggsb.moneta.optonline.net
It's fixed for the SSH2 protocol. It is not fixed for the SSH1 protocol. But
if you're still using SSH1, you have other problems anyway....
It doesn't appear fixed to me at all.
System "buggsb force SSH2, just in case":
$ ssh -2 mmoneta@mmouse
==> /var/log/messages <==
Oct 21 14:10:00 mmouse sshd(pam_unix): authentication failure; logname= u
id=0 euid=0 tty=NODEVssh ruser= rhost=buggsb.moneta.optonline.net user=mmoneta
I have Red Hat 7.2, Red Hat 8.0, and Red Hat 9 machines subscribed to RHN.
Since the advisory RHSA-2003:279-17 and applying the OpenSSH errata released
September 17th, 2003, the 'authentication failure' behavior has disappeared.
I have tested successfully on Red Hat 7.2 (openssh-3.1p1-14), Red Hat 8.0
(openssh-3.4p1-7), and Red Hat 9 (openssh-3.5p1-11).
I am ONLY using SSH2 protocol.
If it is still broken for SSH1, we could reopen this bug, or post a new one.
This bug remained in 'NEW' Status for almost two months and wasn't acknowledged.