On 2022-10-12 13:42:55 +0200, Michael Biebl wrote: > Am 12.10.22 um 13:15 schrieb Vincent Lefevre: > > On 2022-10-12 11:39:40 +0200, Michael Biebl wrote: > > > What you see here is expected behaviour: > > > Your login via SSH is apparently done via PAM, which triggers the start > > > of a > > > systemd --user instance (with all that it entails). And systemd dutifully > > > logs everything when setting up that user instance (and tearing it down > > > again on log out). > > > > Well, the account was created by adduser with the --disabled-login > > option. So I wonder why a systemd --user instance is started. > > disabled-login means disabled password. You can still log in as that user > via other means (su, sudo, SSH keys). > Which mechanism do you use?
No, you are confusing with --disabled-password: --disabled-password Like --disabled-login, but logins are still possible (for example using SSH keys) but not using password authentication. I really used --disabled-login. But the man page is really unclear. The intent was to allow SSH connections, but "full" logins (with additional services such as provided by systemd) are not necessary. > I wouldn't recommend disable PAM in SSH (I assume you meant "UsePAM no" in > sshd_config), but use a different login shell for subversion where PAM is > not involved or rather, which uses a custom PAM profile where you can > exclude pam_systemd.so. Yes, I thought that this was the case for /bin/sh, as opposed to /bin/bash (default for root, unless this has changed) or /bin/zsh. But see below. > I don't really know your particular setup, so it's a bit hard to give proper > advice. > But if the user used for subversion access is not meant to be a *regular* > user but some kind of specialized (system) user, it could indeed be an > option to disable systemd --user for this particular user. This is certainly true for the special svn user, who has a .ssh/authorized_keys file with only command="/usr/bin/svnserve ...",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty lines. BTW, I think that rather than with the login shell, pam_systemd.so inclusion should be controled by such an option. Something like "no-systemd" (or perhaps pam-options="..."). But this is a setting that would need to be forwarded to PAM, I suppose. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)