8630 – syslog doesn't log ssh after upgrade

Bug 8630 - syslog doesn't log ssh after upgrade

Summary: syslog doesn't log ssh after upgrade

Keywords:
Status:	CLOSED DUPLICATE of bug 7214
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	sysklogd
Sub Component:
Version:	6.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-01-19 19:25 UTC by jrs
Modified:	2014-03-17 02:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-02-01 19:37:32 UTC
Embargoed:

Attachments	(Terms of Use)

Description jrs 2000-01-19 19:25:47 UTC

Equipment: P133 running RH6.0 with a custom 2.2.10 kernel.

I recently installed several of the security patches for 6.0,
including  sysklogd-1.3.31-14. I followed the directions
carefully, but after restarting syslog, I found that it stopped
logging all ssh activity. The syslog continued to run (an
excerpt from /var/log/messages is provided below).

I found previous reports of this sort of behavior in Bugzilla,
but only for older 5.x versions of RH, and older versions of sysklogd.

Although it is almost always the wrong solution, I decided to see
if a reboot would cure the problem. It did.

It makes me suspect that there is a bug in one of the /etc/rc.d/init.d
scripts. For example, maybe another daemon (or maybe just sshd) needs
to be restarted when syslog gets restarted?

FYI: I am running ssh-1.2.27, compiled from source.
The contents of my default startups in /etc/rc.d/rc3.d:
K10xntpd
K20rusersd
K20rwhod
K55routed
K85netfs
S10network
S11portmap
S20random
S30syslog
S40atd
S40crond
S50inet
S60lpd
S60nfs
S60rstatd
S75keytable
S80sendmail
S85gpm
S85sound
S90xfs
S99local

Here's an extract from the log at the time of the upgrade

Jan 11 12:44:10 falstaff sshd[489]: log: Generating new 768 bit RSA key.
Jan 11 12:44:12 falstaff sshd[489]: log: RSA key generation complete.
Jan 11 12:47:10 falstaff kernel: Kernel logging (proc) stopped.
Jan 11 12:47:10 falstaff kernel: Kernel log daemon terminating.
Jan 11 12:47:11 falstaff syslog: klogd shutdown succeeded
Jan 11 12:47:12 falstaff exiting on signal 15
Jan 11 12:47:13 falstaff syslogd 1.3-3: restart.
Jan 11 12:47:13 falstaff syslog: syslogd startup succeeded
Jan 11 12:47:13 falstaff syslog: klogd startup succeeded
Jan 11 12:47:13 falstaff kernel: klogd 1.3-3, log source = /proc/kmsg
started.
Jan 11 12:47:13 falstaff kernel: Inspecting /boot/System.map
Jan 11 12:47:14 falstaff kernel: Loaded 6563 symbols from /boot/System.map.
Jan 11 12:47:14 falstaff kernel: Symbols match kernel version 2.2.10.
Jan 11 12:47:14 falstaff kernel: Loaded 98 symbols from 6 modules.
Jan 11 12:51:43 falstaff lpd: lpd shutdown succeeded
Jan 11 12:51:44 falstaff lpd: lpd startup succeeded
Jan 12 11:06:08 falstaff PAM_pwdb[4848]: (su) session opened for user root
by jrs(uid=500)

There was plenty of (unlogged) ssh on this box at this time. As I said,
a reboot cured the problem, but my experience suggests that there's
still a bug somewhere that needs to be squashed.

Comment 1 Bill Nottingham 2000-01-21 06:23:59 UTC

When you say that you compiled ssh from source, it is *not* a version
compiled against libc5, correct?

Comment 2 Bill Nottingham 2000-02-01 19:37:59 UTC

*** This bug has been marked as a duplicate of 7214 ***

Comment 3 jrs 2000-02-01 19:53:59 UTC

Yes, ssh-1.2.27 is compiled against libc6.

I'm not so sure that this is really a duplicate of 7214.
My sendmail (which came from the RH6.0 rpm) continued logging.

When I repeated the experiment on an identically configured
AMD K6-3 box, I found that after upgrading sysklogd, I was
able to get sshd to resume logging simply by kicking it:

  kill -s SIGHUP <pid of currently running sshd>

Note You need to log in before you can comment on or make changes to this bug.