Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 204110 - Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Status: CLOSED DUPLICATE of bug 227805
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch (Show other bugs)
4.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-25 12:53 EDT by Neelesh Arora
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-26 05:17:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Neelesh Arora 2006-08-25 12:53:53 EDT 
Description of problem:
If /var/log/secure has entries as follows:

=================
Aug 21 22:46:39 host1 sshd[16318]: Postponed publickey for root from
::ffff:a.b.c.d port 35647 ssh2
Aug 21 22:47:37 host1 sshd[16318]: Postponed password for userbob from
::ffff:a.b.c.d port 35657 ssh2
=================
then, logwatch reports them as:

=================
illegal users from these:
   root/publickey: 1 Time(s)
   userbob/password: 1 Time(s)
Postponed authentication:
   root/publickey:
      ::ffff:a.b.c.d: 1 Time(s)
   userbob/password:
      ::ffff:a.b.c.d: 1 Time(s)
=================

The "illegal users" lines above is a bug. Note also that these lines lack the
remote host from which it is reporting the illegal user. The "Postponed
authentication" lines above is what is expected.

This bug has been triggered by illegal postponed messages in /var/log/secure
(see bug #203671).

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1.EL4.1

How reproducible:
Always

Steps to Reproduce:
1. Install logwatch-5.2.2-1.EL4.1 and openssh version 3.9p1-8.RHEL4.15 on hostA
2. Login as root from a remote host to hostA, or manually add a "Postponed"
entry to /var/log/secure
3. Run logwatch report
  
Actual results:
Logwatch reports Illegal users, in addition to Postponed authentication

Expected results:
"Postponed" messages should be reported as such, not as illegal users.

Additional info:
Comment 1 Ivana Varekova 2007-10-26 04:34:31 EDT 
This bug is easy to fix/test.
Comment 2 Ivana Varekova 2007-10-26 05:17:51 EDT 

*** This bug has been marked as a duplicate of 227805 ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.