Bug 204110 - Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Logwatch reports "Illegal users" if /var/log/secure has "Postponed" entries
Status: CLOSED DUPLICATE of bug 227805
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: logwatch (Show other bugs)
4.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-25 12:53 EDT by Neelesh Arora
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-26 05:17:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Neelesh Arora 2006-08-25 12:53:53 EDT
Description of problem:
If /var/log/secure has entries as follows:

=================
Aug 21 22:46:39 host1 sshd[16318]: Postponed publickey for root from
::ffff:a.b.c.d port 35647 ssh2
Aug 21 22:47:37 host1 sshd[16318]: Postponed password for userbob from
::ffff:a.b.c.d port 35657 ssh2
=================
then, logwatch reports them as:

=================
illegal users from these:
   root/publickey: 1 Time(s)
   userbob/password: 1 Time(s)
Postponed authentication:
   root/publickey:
      ::ffff:a.b.c.d: 1 Time(s)
   userbob/password:
      ::ffff:a.b.c.d: 1 Time(s)
=================

The "illegal users" lines above is a bug. Note also that these lines lack the
remote host from which it is reporting the illegal user. The "Postponed
authentication" lines above is what is expected.

This bug has been triggered by illegal postponed messages in /var/log/secure
(see bug #203671).

Version-Release number of selected component (if applicable):
logwatch-5.2.2-1.EL4.1

How reproducible:
Always

Steps to Reproduce:
1. Install logwatch-5.2.2-1.EL4.1 and openssh version 3.9p1-8.RHEL4.15 on hostA
2. Login as root from a remote host to hostA, or manually add a "Postponed"
entry to /var/log/secure
3. Run logwatch report
  
Actual results:
Logwatch reports Illegal users, in addition to Postponed authentication

Expected results:
"Postponed" messages should be reported as such, not as illegal users.

Additional info:
Comment 1 Ivana Varekova 2007-10-26 04:34:31 EDT
This bug is easy to fix/test.
Comment 2 Ivana Varekova 2007-10-26 05:17:51 EDT

*** This bug has been marked as a duplicate of 227805 ***

Note You need to log in before you can comment on or make changes to this bug.