Multiple log entries for successful pubkey authentication

[Corinna Vinschen]

On Apr  7 21:49, Darren Tucker wrote:
> Corinna Vinschen wrote:
> >With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog
> >when a pubkey authentication logon was successful:
> >
> >  Apr  7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna 
> >  from 192.168.129.6 port 40207 ssh2
> >  Apr  7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna 
> >  from 192.168.129.6 port 40207 ssh2
> >
> >I found that this only happens when privilege separation is used.  If I
> >switch privilege separation off, I'm getting only one entry in the syslog.
> 
> I think that's because the auth_log is called twice: once in the monitor 
> and once in the slave.  If that's the case you should find one log entry 
> was done as the user logging in and the other as the privileged user 
> running sshd.

Yeah, that's what happens.  In the above log entries you see that the
logs come from different PIDs.  As I wrote in my previous mail, I'm
still wondering if DISABLE_FD_PASSING is the cause.  But the result
should be identical to a root login on other OSes, see the first few
lines in sshd.c, function privsep_postauth().  However, a root login
on Linux does not result in multiple log entries, so that's not the
whole explanation...


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.