This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 162218 - ssh login/logout no longer logged by pam_unix in /var/log/messages
ssh login/logout no longer logged by pam_unix in /var/log/messages
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-06-30 17:32 EDT by Daniel Levine
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-07-01 09:55:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Daniel Levine 2005-06-30 17:32:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803

Description of problem:
FC4 workstation relevant sshd_config options (installation file default):
SyslogFacility AUTHPRIV
UsePAM yes

Log in and logout (successful and failed) information is not logged via syslog to /var/log/messages via pam_unix.

In Fedora Core 2, configuration generates lines like:

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Other pam services like su and gdm do log this information.  Assume problem is with openssh.

Version-Release number of selected component (if applicable):
openssh-4.0-p1-3 and pam-0.79-8

How reproducible:

Steps to Reproduce:
1. As root in one window: tail -f /var/log/messages
2. In another window: ssh to system and login (successfully or unsuccessfully doesn't matter)
3. Results should appear /var/log/messages as in FC2 but does not.

Actual Results:  No syslog output was generated in /var/log/messages.

Expected Results:  Something like this would have gone into /var/log/messages if root logged in successfully and then logged out.

sshd(pam_unix)[12345] session opened for user root by (uid=0)
sshd(pam_unix)[12346] session closed for user root

Additional info:

If this information is not logged, you cannot detect ssh hack attempts or monitor which users are logging in to system via ssh.
Comment 1 Tomas Mraz 2005-07-01 03:16:00 EDT
I cannot reproduce this problem here and I'm really curious how this could
happen, is it a fresh FC4 install with pam and ssh configuration unchanged?
Comment 2 Daniel Levine 2005-07-01 09:55:53 EDT

I went back to verify the minor changes I had made to the default configuration 
and now I see them being logged.

I thought I was seeing this issue for several days and couldn't figure out the 

My apologies.  Please close if I haven't when I submit this.

Note You need to log in before you can comment on or make changes to this bug.