From d49621ea530ce976a17ba043eedba137c60bc10a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Dec 1999 14:04:33 +1100 Subject: - Disable logging of PAM success and failures, PAM is verbose enough. Unfortunatly there is currently no way to disable auth failure messages. Mention this in UPGRADING file and sent message to PAM developers --- ChangeLog | 4 ++++ UPGRADING | 8 ++++++++ sshd.c | 19 +++++++++---------- 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4a1810a93..e6b1695ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - Cleanup sshd.c PAM a little more - Revised RPM package to include Jim Knoble's X11 ssh-askpass program. + - Disable logging of PAM success and failures, PAM is verbose enough. + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM + developers 19991225 - More fixes from Andre Lucas diff --git a/UPGRADING b/UPGRADING index f9732cf53..854bd2294 100644 --- a/UPGRADING +++ b/UPGRADING @@ -45,3 +45,11 @@ rid yourself of these message, edit you known_hosts files and replace the incorrect key length (usually "1024") with the correct key length (usually "1023"). +5. Spurious PAM authentication messages in logfiles + +OpenSSH will generate spurious authentication failures at every login, +similar to "authentication failure; (uid=0) -> root for sshd service". +These are generated because OpenSSH first tries to determine whether a +user needs authentication to login (e.g. empty password). Unfortunatly +PAM likes to log all authentication events, this one included. + diff --git a/sshd.c b/sshd.c index 66df93d77..e3596de50 100644 --- a/sshd.c +++ b/sshd.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.42 1999/12/26 02:31:06 damien Exp $"); +RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $"); #ifdef HAVE_POLL_H # include @@ -146,7 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, #ifdef HAVE_LIBPAM static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); -int do_pam_auth(const char *user, const char *password, int quiet); +int do_pam_auth(const char *user, const char *password); void do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, char *ttyname); void pam_cleanup_proc(void *context); @@ -238,20 +238,19 @@ void pam_cleanup_proc(void *context) } } -int do_pam_auth(const char *user, const char *password, int quiet) +int do_pam_auth(const char *user, const char *password) { int pam_retval; pampasswd = password; - pam_retval = pam_authenticate((pam_handle_t *)pamh, quiet?PAM_SILENT:0); + pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); if (pam_retval == PAM_SUCCESS) { - log("PAM Password authentication accepted for user \"%.100s\"", user); + debug("PAM Password authentication accepted for user \"%.100s\"", user); return 1; } else { - if (!quiet) - log("PAM Password authentication for \"%.100s\" failed: %s", - user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + debug("PAM Password authentication for \"%.100s\" failed: %s", + user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); return 0; } } @@ -1312,7 +1311,7 @@ do_authentication(char *user) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef HAVE_LIBPAM - do_pam_auth(pw->pw_name, "", 1)) { + do_pam_auth(pw->pw_name, "")) { #else /* HAVE_LIBPAM */ auth_password(pw, "")) { #endif /* HAVE_LIBPAM */ @@ -1523,7 +1522,7 @@ do_authloop(struct passwd * pw) #ifdef HAVE_LIBPAM /* Do PAM auth with password */ - authenticated = do_pam_auth(pw->pw_name, password, 0); + authenticated = do_pam_auth(pw->pw_name, password); #else /* HAVE_LIBPAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); -- cgit v1.2.3