What does this error mean and can I fix it.

Christopher L. Barnard cbar44 at tsg.cbot.com
Thu Oct 7 03:36:45 EST 2004


Bingo.  (Although this happens on many machines, and they are all
internal.).  When someone mistypes their login name and so is attempting
to log in with a nonexistent account, the session is logged at .info for
the invalid user and at .error for failure to get the shadow info.
Thanks for your help.  Its incredible what you can find in your logs if
you know what you are looking for...

Christopher L. Barnard

 On Wed, 6 Oct 2004, Darren Tucker wrote:

> Logu wrote:
> >>This is true with OpenSsh 3.8p1 and OpenSsh 3.9p1.  I am running on Sun
> >>Solaris servers, both Solaris 8 and Solaris 9.
> >>
> >>I send all ssh syslog messages to local3 via the sshd_config file.  I
> >>periodically get in my error logs the line:
> >>
> >>Oct  4 15:29:36 wintermute sshd[14517]: [ID 800047 local3.error] error:
> >>Could not get shadow information for NOUSER
> >>
> >>I do not think this is interfering with any user.  I would like to get rid
> >>of these false positive errors, but I have not been able to track down
> >>what this error is stating.  Can any of you provide assistance in
> >>determining what this means.  Thank you.
>
> It's most likely a failed logon attempt on an account without an entry
> in /etc/passwd and /etc/shadow.
>
> If you're seeing them on an Internet-facing machine it's possible
> they're caused by the password-guessing worm (which tries accounts like
> "admin" and "guest") doing the rounds:
> http://marc.theaimsgroup.com/?l=full-disclosure&m=109078144002874
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>




More information about the openssh-unix-dev mailing list