Marc Lehmann <[email protected]> writes: > Russ Allbery <[email protected]> wrote: >> Marc Lehmann <[email protected]> writes:
>>> What luck that I found out how to reproduce it a while later: remove the >>> /etc/shadow entry for the user, and you get connection closed but no log >>> messages whatsoever. >> I think that's just because pam_unix doesn't log anything in this case. >> I've run into that before. > I have no clue who logs, but the fact remains that I only get the message > when privsep is off. Ah, I think I understand. That error message is coming from ssh itself. So this isn't a problem with how PAM modules are called, but rather apparently a problem with the logging code in sshd itself in the case of privilege separation. You don't get the failure message generated internally by sshd when the account stack fails. I did double-check the pam_unix source code and indeed it just exits with a failure status but reports no error messages at all if the user isn't listed in /etc/shadow. I think that's probably also a bug in pam. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
