Disabling logging during pam_authenticate

Steve Langasek vorlon at netexpress.net
Mon Dec 27 04:37:09 EST 1999


On Sun, 26 Dec 1999, Damien Miller wrote:

> Is there any way to disable logging of failures during
> pam_authenticate?

PAM does not have control over the logging process during pam_authenticate,
that's left up to the individual modules.  You may be able to turn logging off
for individual modules; however--

> The problem is that OpenSSH likes to try a blank password attempting
> any other authentication. This is a shortcut for anonymous SSH servers
> (e.g. OpenBSD's CVS repositories). I expect that this test will fail
> in the vast majority of cases, but it speeds things up significantly
> when it succeeds.

wouldn't it be more reasonable to ask ssh to not try null passwords? There
could be any number of modules that would be used in the PAM auth section, and
all of them may have an opinion on what should be logged.  Some of them may be
well-behaved and let you disable logging, but then you've also disabled
logging for any genuine attacks against you using that service.

Perhaps, as with Samba's client utils, a commandline option could be added to
openssh's client to specify the use of a null password?  That way, you don't
have to worry about prompts when the connection is scripted, and you get
around the logging issue as well.

-Steve Langasek
postmodern programmer






More information about the openssh-unix-dev mailing list