19966 – sshd uses AUTH, not AUTHPRIV, for syslog entries

Bug 19966 - sshd uses AUTH, not AUTHPRIV, for syslog entries

Summary: sshd uses AUTH, not AUTHPRIV, for syslog entries

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	openssh
Sub Component:
Version:	7.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-10-28 20:22 UTC by Jeff Norden
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2000-10-28 20:22:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jeff Norden 2000-10-28 20:22:45 UTC

sshd sends its syslog messages using the AUTH facility instead of
AUTHPRIV.  (According to the syslog(3) man page, the use of AUTH is
supposed to be deprecated.)  The result is that sshd messages go into
/var/log/messages and not /var/log/secure.  Since redhat leaves both these
log files readable only by root, the problem is not one of privacy. 
Rather, it is good practice to periodically scan /var/log/secure for
possible breaking attempts, etc,  (it is usually much shorter than
messages).  Not having any ssh entries there is a bad idea, imho.

A simple and immediate fix is to change the entry in /etc/syslog.conf  for
/var/log/secure from

 authpriv.*			/var/log/secure

to

 auth.*;authpriv.*                        /var/log/secure

sshd messages then go into both the messages and secure logs, but that's
ok.  I think that the above change to syslog.conf  is a good idea anyway,
even once sshd's logging gets fixed.

Comment 1 Nalin Dahyabhai 2000-10-30 20:51:39 UTC

This will be fixed in openssh-2.2.0p1-8 and later.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.