ssh log weirdness
redhat at buglecreek.com
redhat at buglecreek.com
Tue Jan 24 23:03:17 UTC 2006
I noticed while going over log entries that ssh seems to be logging
system access strangely. I have a user with a account that has password
aging enabled:
"Chage -l userX" says the account will expire on Jan 12 2006. While
looking at /var/log/messages and /var/log/secure I saw the following:
Jan 23 18:43:16 server sshd(pam_unix)[20699]: session opened for user
userX
by (uid=0)
Jan 23 18:43:16 server sshd(pam_unix)[20699]: session closed for user
userX
Jan 23 18:43:16 server sshd[20690]: Accepted password for userX from
xxx.xxx.xxx.xxx port 1512 ssh2
With password aging enabled, I don't see how this is possible. Using
the "last" and "lastlog" commands it shows that this user last logged in
on Jan 12 2006. Password aging definitely works, I tested it. Anyone
have any ideas how this can happen? It is interesting that the open and
close times are the same in /var/log/messages. I have checked the
shadow and password file and all seems normal. When I try to su to this
user from root it says the password is expired. All seems normal except
for those log entries.
System runs Red Hat Enterprise Linux ES release 4
Thanks
More information about the Redhat-install-list
mailing list