[Bug 3727] New: openssh PAM implementation unnecessarily logs authentication failures at LOG_ERROR level

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 31 23:27:49 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3727

            Bug ID: 3727
           Summary: openssh PAM implementation unnecessarily logs
                    authentication failures at LOG_ERROR level
           Product: Portable OpenSSH
           Version: -current
          Hardware: amd64
                OS: FreeBSD
            Status: NEW
          Severity: minor
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: openssh at juicer.orange-carb.org

At line 939 of auth-pam.c the following statement logs successful
interactions with PAM that involve authentication denials:

                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user
",
                            sshpam_authctxt->user, sshpam_rhost);

This is not actually an error, as PAM has correctly declined the
authentication. With the current reality that OpenSSH may be probed
hundreds of times an hour, this generates many many auth "errors" in
syslog that may obscure actual authentication subsystem errors in logs.

It should be noted that at auth.c lines 282/296 there is already
logging done at log_info.

I suggest one of two courses of action:

1) Do not log trivial authentication denials (e.g. invalid user, bad
pw, etc) at auth-pam.c:939, given these will already be logged in
auth.c:296

or

2) Reduce log level at auth-pam.c:939 to INFO

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list