[Bug 3727] New: openssh PAM implementation unnecessarily logs authentication failures at LOG_ERROR level
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Aug 31 23:27:49 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3727
Bug ID: 3727
Summary: openssh PAM implementation unnecessarily logs
authentication failures at LOG_ERROR level
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: FreeBSD
Status: NEW
Severity: minor
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: openssh at juicer.orange-carb.org
At line 939 of auth-pam.c the following statement logs successful
interactions with PAM that involve authentication denials:
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user
",
sshpam_authctxt->user, sshpam_rhost);
This is not actually an error, as PAM has correctly declined the
authentication. With the current reality that OpenSSH may be probed
hundreds of times an hour, this generates many many auth "errors" in
syslog that may obscure actual authentication subsystem errors in logs.
It should be noted that at auth.c lines 282/296 there is already
logging done at log_info.
I suggest one of two courses of action:
1) Do not log trivial authentication denials (e.g. invalid user, bad
pw, etc) at auth-pam.c:939, given these will already be logged in
auth.c:296
or
2) Reduce log level at auth-pam.c:939 to INFO
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list