https://bugzilla.mindrot.org/show_bug.cgi?id=3727
Bug ID: 3727
Summary: openssh PAM implementation unnecessarily logs
authentication failures at LOG_ERROR level
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: FreeBSD
Status: NEW
Severity: minor
Priority: P5
Component: PAM support
Assignee: unassigned-b...@mindrot.org
Reporter: open...@juicer.orange-carb.org
At line 939 of auth-pam.c the following statement logs successful
interactions with PAM that involve authentication denials:
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user
",
sshpam_authctxt->user, sshpam_rhost);
This is not actually an error, as PAM has correctly declined the
authentication. With the current reality that OpenSSH may be probed
hundreds of times an hour, this generates many many auth "errors" in
syslog that may obscure actual authentication subsystem errors in logs.
It should be noted that at auth.c lines 282/296 there is already
logging done at log_info.
I suggest one of two courses of action:
1) Do not log trivial authentication denials (e.g. invalid user, bad
pw, etc) at auth-pam.c:939, given these will already be logged in
auth.c:296
or
2) Reduce log level at auth-pam.c:939 to INFO
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
