summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--UPGRADING8
-rw-r--r--sshd.c19
3 files changed, 21 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 4a1810a9..e6b1695b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
- Cleanup sshd.c PAM a little more
- Revised RPM package to include Jim Knoble's <jmknoble@pobox.com>
X11 ssh-askpass program.
+ - Disable logging of PAM success and failures, PAM is verbose enough.
+ Unfortunatly there is currently no way to disable auth failure
+ messages. Mention this in UPGRADING file and sent message to PAM
+ developers
19991225
- More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
diff --git a/UPGRADING b/UPGRADING
index f9732cf5..854bd229 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -45,3 +45,11 @@ rid yourself of these message, edit you known_hosts files and replace
the incorrect key length (usually "1024") with the correct key length
(usually "1023").
+5. Spurious PAM authentication messages in logfiles
+
+OpenSSH will generate spurious authentication failures at every login,
+similar to "authentication failure; (uid=0) -> root for sshd service".
+These are generated because OpenSSH first tries to determine whether a
+user needs authentication to login (e.g. empty password). Unfortunatly
+PAM likes to log all authentication events, this one included.
+
diff --git a/sshd.c b/sshd.c
index 66df93d7..e3596de5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.42 1999/12/26 02:31:06 damien Exp $");
+RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $");
#ifdef HAVE_POLL_H
# include <poll.h>
@@ -146,7 +146,7 @@ void do_child(const char *command, struct passwd * pw, const char *term,
#ifdef HAVE_LIBPAM
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
-int do_pam_auth(const char *user, const char *password, int quiet);
+int do_pam_auth(const char *user, const char *password);
void do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, char *ttyname);
void pam_cleanup_proc(void *context);
@@ -238,20 +238,19 @@ void pam_cleanup_proc(void *context)
}
}
-int do_pam_auth(const char *user, const char *password, int quiet)
+int do_pam_auth(const char *user, const char *password)
{
int pam_retval;
pampasswd = password;
- pam_retval = pam_authenticate((pam_handle_t *)pamh, quiet?PAM_SILENT:0);
+ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS) {
- log("PAM Password authentication accepted for user \"%.100s\"", user);
+ debug("PAM Password authentication accepted for user \"%.100s\"", user);
return 1;
} else {
- if (!quiet)
- log("PAM Password authentication for \"%.100s\" failed: %s",
- user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ debug("PAM Password authentication for \"%.100s\" failed: %s",
+ user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
return 0;
}
}
@@ -1312,7 +1311,7 @@ do_authentication(char *user)
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
#ifdef HAVE_LIBPAM
- do_pam_auth(pw->pw_name, "", 1)) {
+ do_pam_auth(pw->pw_name, "")) {
#else /* HAVE_LIBPAM */
auth_password(pw, "")) {
#endif /* HAVE_LIBPAM */
@@ -1523,7 +1522,7 @@ do_authloop(struct passwd * pw)
#ifdef HAVE_LIBPAM
/* Do PAM auth with password */
- authenticated = do_pam_auth(pw->pw_name, password, 0);
+ authenticated = do_pam_auth(pw->pw_name, password);
#else /* HAVE_LIBPAM */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);