OpenSSH server doesn't log client disconnect without SSH_MSG_DISCONNECT
Damien Miller
djm at mindrot.org
Mon May 27 12:18:21 AEST 2024
On Sun, 26 May 2024, Opty wrote:
> On Wed, May 22, 2024 at 6:29 AM Damien Miller <djm at mindrot.org> wrote:
> > On Tue, 21 May 2024, Opty wrote:
> > > Hello,
> > >
> > > can anyone confirm that OpenSSH server doesn't log client disconnect
> > > without SSH_MSG_DISCONNECT?
> >
> > OpenSSH logs the disconnection regardless of whether the client sends
> > SSH_MSG_DISCONNECT or just drops the connection.
> >
> > A little more information may be logged from the disconnect packet
> > if it was sent, but there should always be a "Connection closed by ..."
> > message regardless.
>
> Unpatched:
> 2024-05-26T13:40:18.419241+02:00 qeporkak sshd 16107 - - Accepted
> keyboard-interactive/pam for opty from 127.0.0.1 port 48133 ssh2
> 2024-05-26T13:40:18.428291+02:00 qeporkak elogind-daemon 1114 - - New
> session 2 of user opty.
> 2024-05-26T13:40:19.309320+02:00 qeporkak elogind-daemon 1114 - -
> Removed session 2.
>
> Q&D patch:
> diff -Naur a/putty-0.81/ssh/connection2.c b/putty-0.81/ssh/connection2.c
> --- a/putty-0.81/ssh/connection2.c 2024-04-06 11:43:47.000000000 +0200
> +++ b/putty-0.81/ssh/connection2.c 2024-05-26 14:00:38.382879095 +0200
> @@ -1269,6 +1269,10 @@
> * and indeed OpenSSH feels this is more polite than sending a
> * DISCONNECT. So now we don't.
> */
> +
> + /* We do again. */
> + ssh2_bpp_queue_disconnect(s->ppl.bpp, "disconnected by user",
> SSH2_DISCONNECT_BY_APPLICATION);
> +
> ssh_user_close(s->ppl.ssh, "All channels closed");
> return;
> }
Yeah, you're adding a new thing that will be logged. IMO you should
try to figure out why the "Connection closed" message that is present
in the debug log you sent is not making to to your syslog.
More information about the openssh-unix-dev
mailing list