- Cleanup sshd.c PAM a little more
- Revised RPM package to include Jim Knoble's <jmknoble@pobox.com>
X11 ssh-askpass program.
+ - Disable logging of PAM success and failures, PAM is verbose enough.
+ Unfortunatly there is currently no way to disable auth failure
+ messages. Mention this in UPGRADING file and sent message to PAM
+ developers
19991225
- More fixes from Andre Lucas <andre.lucas@dial.pipex.com>
the incorrect key length (usually "1024") with the correct key length
(usually "1023").
+5. Spurious PAM authentication messages in logfiles
+
+OpenSSH will generate spurious authentication failures at every login,
+similar to "authentication failure; (uid=0) -> root for sshd service".
+These are generated because OpenSSH first tries to determine whether a
+user needs authentication to login (e.g. empty password). Unfortunatly
+PAM likes to log all authentication events, this one included.
+
#ifdef HAVE_LIBPAM
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
-int do_pam_auth(const char *user, const char *password, int quiet);
+int do_pam_auth(const char *user, const char *password);
void do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, char *ttyname);
void pam_cleanup_proc(void *context);
}
}
-int do_pam_auth(const char *user, const char *password, int quiet)
+int do_pam_auth(const char *user, const char *password)
{
int pam_retval;
pampasswd = password;
- pam_retval = pam_authenticate((pam_handle_t *)pamh, quiet?PAM_SILENT:0);
+ pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
if (pam_retval == PAM_SUCCESS) {
- log("PAM Password authentication accepted for user \"%.100s\"", user);
+ debug("PAM Password authentication accepted for user \"%.100s\"", user);
return 1;
} else {
- if (!quiet)
- log("PAM Password authentication for \"%.100s\" failed: %s",
- user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ debug("PAM Password authentication for \"%.100s\" failed: %s",
+ user, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
return 0;
}
}
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif /* KRB4 */
#ifdef HAVE_LIBPAM
- do_pam_auth(pw->pw_name, "", 1)) {
+ do_pam_auth(pw->pw_name, "")) {
#else /* HAVE_LIBPAM */
auth_password(pw, "")) {
#endif /* HAVE_LIBPAM */
#ifdef HAVE_LIBPAM
/* Do PAM auth with password */
- authenticated = do_pam_auth(pw->pw_name, password, 0);
+ authenticated = do_pam_auth(pw->pw_name, password);
#else /* HAVE_LIBPAM */
/* Try authentication with the password. */
authenticated = auth_password(pw, password);