Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1127312

Summary: confusing audit trail for unsuccessful logins
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Moriš <omoris>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: medium Docs Contact:
Priority: high    
Version: 6.6CC: jjelen, pvrabec, sgrubb, szidek, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.3p1-105.el6 Doc Type: Bug Fix
Doc Text:
Non-existing users logging in with ssh triggered two different audit messages in the log, which was not expected behavior. With this update, when a non-existing user attempts to log in using ssh, only one audit message is triggered. This message records a login attempt from an unknown user as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:45:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1153397, 1159820, 1159926    

Description Ondrej Moriš 2014-08-06 15:48:09 UTC 
Description of problem:

When logging in using ssh two following cases might occur:

 a) existing user but wrong password,
 b) non-existing user.

PAM/ssh react in these cases by generating audit events USER_LOGIN. In the first case, event is generated correctly. But in the second case, two events are generated:

 * first event for unknown user (which is ok),
 * second event for invalid user (which is wrong, confusing).

This situation cause aulast to report as follows (for (b) case):

# aulast --bad
(unknown ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)
(invalid ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)

Version-Release number of selected component (if applicable):

audit-2.3.3-4.el7
openssh-6.4p1-8.el7
pam-1.1.8-9.el7

How reproducible:

100%

Steps to Reproduce:

1. Empty audit.log (or use checkpoints).
2. Try to log-in via ssh as existing user with wrong password.
3. Try to log-in via ssh as non-existing user.

Actual results:

Three audit events generated, first is correct, second is correct but the last one is redundant and confusing (invalid user).

# ausearch -ts recent -m login,user_start,user_end,user_login
----
time->Wed Aug  6 17:35:09 2014
type=USER_LOGIN msg=audit(1407339309.512:261): pid=27004 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
----
time->Wed Aug  6 17:35:21 2014
type=USER_LOGIN msg=audit(1407339321.301:266): pid=27009 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
----
time->Wed Aug  6 17:35:26 2014
type=USER_LOGIN msg=audit(1407339326.268:272): pid=27009 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'

# aulast --bad
root     ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)
(unknown ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)
(invalid ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)

Expected results:

# ausearch -ts recent -m login,user_start,user_end,user_login
----
time->Wed Aug  6 17:35:09 2014
type=USER_LOGIN msg=audit(1407339309.512:261): pid=27004 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
----
time->Wed Aug  6 17:35:21 2014
type=USER_LOGIN msg=audit(1407339321.301:266): pid=27009 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=ssh res=failed'
# aulast
# aulast --bad
root     ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)
(unknown ssh          ::1              Wed Aug  6 17:35 - 17:35  (00:00)

Additional info:

See also https://bugzilla.redhat.com/show_bug.cgi?id=922508#c14. I am not sure if this is a problem in pam or openssh but it is definitely not a bug in audit. Please feel free to change the component if needed.
Comment 1 Tomas Mraz 2014-08-07 07:12:41 UTC 
This audit record is created by sshd directly and not PAM. However I suspect that its generation is triggered by sshd trying to make indistinguishable from the client side whether known or unknown user is trying to login and so I do not expect it to be easily fixed.
Comment 2 Steve Grubb 2014-08-07 14:06:51 UTC 
There is no requirement to obfuscate the user on unsuccessful logins. You can use acct="unknown" if you prefer to. Currently, acct="(unknown user)" is used which gets hex encoded because of the space in the value and causes it to take up more log space.

The major problem is the second entry under acct="(invalid user)", this one should not be sent at all. The AUDIT_USER_LOGIN event should be sent only 1 time and it is the summary decision of all the authentication/account attempts. A couple examples: If 3 password attempts fail, only 1 USER_LOGIN event should be sent saying login failed. If authentication was successful and pam_acct says no because too many sessions/wrong time of day, then only 1 is sent saying login failed. HTH.
Comment 3 Eduard Benes 2014-10-30 13:35:56 UTC 
This issue has been now reported against RHEL 7 as bug 1158521
Comment 4 Petr Lautrbach 2014-11-03 14:50:29 UTC 
Would be acceptable to change this during late rhel-6 release cycle? Could the change break some existing configurations?
Comment 5 Petr Lautrbach 2014-11-03 15:40:00 UTC 
The mentioned change would be similar to https://bugzilla.redhat.com/show_bug.cgi?id=1158521#c2
Comment 6 Steve Grubb 2014-11-04 13:25:30 UTC 
It is acceptable to change this during RHEL6 because what is in RHEL6 is breaking the analysis or perhaps making it harder.
Comment 10 errata-xmlrpc 2015-07-22 06:45:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1335.html