Bug 671550 - userauth-requests should be logged at a higher level than debug
userauth-requests should be logged at a higher level than debug
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-21 15:24 EST by Matthew Miller
Modified: 2011-03-08 05:05 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-08 05:05:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to increase logging of userauth-request from DEBUG to VERBOSE (537 bytes, patch)
2011-01-21 15:24 EST, Matthew Miller
no flags Details | Diff

  None (edit)
Description Matthew Miller 2011-01-21 15:24:02 EST
Created attachment 474681 [details]
patch to increase logging of userauth-request from DEBUG to VERBOSE

Description of problem:

If someone with a valid user name attempts to connect to an ssh server but fails for some reason, nothing is normally logged. This makes diagnostics confusing. If one ups the LogLevel to DEBUG, a *lot* of stuff is logged -- way too much for normal use, and as the config file warns, so much that user privacy could be violated.

The most useful line is "userauth-request", which takes the form of 

  userauth-request for user mattdm service ssh-connection method publickey

or

  userauth-request for user mattdm service ssh-connection method password

Version-Release number of selected component (if applicable):

  All up to and including at least 5.6p1

How reproducible:

  Always

Steps to Reproduce:
1. Set LogLevel to the normal INFO level, or to VERBOSE
1. try to connect to an ssh server but fail
  
Actual results:

 Nothing logged.

Expected results:

 Something logged.


Additional info:

The attached patch ups the log level for this to a reasonable "VERBOSE". This doesn't change the default behavior (INFO is the default), but gives the sysadmin the option of investigating problems without using the big sledgehammer of DEBUG (which may log information which later needs to be cleaned from the logs -- quite a hassle even if possible in a given environment).

--- openssh-5.6p1/auth2.c-verbose-requests	2011-01-21 15:07:36.000000000 -0500
+++ openssh-5.6p1/auth2.c	2011-01-21 15:08:09.000000000 -0500
@@ -229,7 +229,7 @@
 	user = packet_get_string(NULL);
 	service = packet_get_string(NULL);
 	method = packet_get_string(NULL);
-	debug("userauth-request for user %s service %s method %s", user, service, method);
+	verbose("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
 #ifdef WITH_SELINUX
Comment 1 Jan F. Chadima 2011-03-08 05:05:19 EST
this is only partial results, I prefer to leave it as is.

Note You need to log in before you can comment on or make changes to this bug.