Re: Multiple log entries for successful pubkey authentication

On Apr 7 21:49, Darren Tucker wrote:
> Corinna Vinschen wrote:
> >With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog
> >when a pubkey authentication logon was successful:
> >
> > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna
> > from 192.168.129.6 port 40207 ssh2
> > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna
> > from 192.168.129.6 port 40207 ssh2
> >
> >I found that this only happens when privilege separation is used. If I
> >switch privilege separation off, I'm getting only one entry in the syslog.
>
> I think that's because the auth_log is called twice: once in the monitor
> and once in the slave. If that's the case you should find one log entry
> was done as the user logging in and the other as the privileged user
> running sshd.

Yeah, that's what happens. In the above log entries you see that the
logs come from different PIDs. As I wrote in my previous mail, I'm
still wondering if DISABLE_FD_PASSING is the cause. But the result
should be identical to a root login on other OSes, see the first few
lines in sshd.c, function privsep_postauth(). However, a root login
on Linux does not result in multiple log entries, so that's not the
whole explanation...


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev