Multiple log entries for successful pubkey authentication

Darren Tucker dtucker at
Thu Apr 7 22:52:34 EST 2005

Corinna Vinschen wrote:
> On Apr  7 21:49, Darren Tucker wrote:
>>I think that's because the auth_log is called twice: once in the monitor 
>>and once in the slave.  If that's the case you should find one log entry 
>>was done as the user logging in and the other as the privileged user 
>>running sshd.
> Yeah, that's what happens.  In the above log entries you see that the
> logs come from different PIDs.  As I wrote in my previous mail, I'm
> still wondering if DISABLE_FD_PASSING is the cause.  But the result
> should be identical to a root login on other OSes, see the first few
> lines in sshd.c, function privsep_postauth().  However, a root login
> on Linux does not result in multiple log entries, so that's not the
> whole explanation...

It does in debug mode:

debug1: ssh_rsa_verify: signature correct
Accepted publickey for root from ::ffff: port 40694 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged 
Accepted publickey for root from ::ffff: port 40694 ssh2

The one from the privsep slave won't get logged in normal operations, 
since it's chrooted to /var/empty and has no /dev/log to talk to syslogd.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list