Am 12.10.22 um 13:15 schrieb Vincent Lefevre:
On 2022-10-12 11:39:40 +0200, Michael Biebl wrote:
What you see here is expected behaviour:
Your login via SSH is apparently done via PAM, which triggers the start of a
systemd --user instance (with all that it entails). And systemd dutifully
logs everything when setting up that user instance (and tearing it down
again on log out).

Well, the account was created by adduser with the --disabled-login
option. So I wonder why a systemd --user instance is started.


disabled-login means disabled password. You can still log in as that user via other means (su, sudo, SSH keys).
Which mechanism do you use?

If you generate lots of SSH logins via subversion, then this will generate
lots of log messages.

Yes, this can happen several times per minute.

Maybe there is a way to use a more restricted environment/login shell for
subversion access which doesn't trigger PAM.

According to what I've read on serverfault.com, it is discouraged
to disable PAM (in particular, it is involved in authentication).

I wouldn't recommend disable PAM in SSH (I assume you meant "UsePAM no" in sshd_config), but use a different login shell for subversion where PAM is not involved or rather, which uses a custom PAM profile where you can exclude pam_systemd.so.

If you don't want to constantly start/stop the user instance, you can also
use linger, so the user instance will stick around if you terminate your SSH
session.

However, I suppose that this would take useless resources. IMHO,
a systemd --user instance is not useful for such a user anyway
(and perhaps pam_systemd is not needed in any case on this machine:
this is just a personal VM, not a desktop machine, not a multi-user
server, so I'm wondering what it is used for).


I don't really know your particular setup, so it's a bit hard to give proper advice. But if the user used for subversion access is not meant to be a *regular* user but some kind of specialized (system) user, it could indeed be an option to disable systemd --user for this particular user.


Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to