Marc Lehmann <schm...@schmorp.de> writes: > Russ Allbery <r...@debian.org> wrote: >> Marc Lehmann <schm...@schmorp.de> writes:
>>> What luck that I found out how to reproduce it a while later: remove the >>> /etc/shadow entry for the user, and you get connection closed but no log >>> messages whatsoever. >> I think that's just because pam_unix doesn't log anything in this case. >> I've run into that before. > I have no clue who logs, but the fact remains that I only get the message > when privsep is off. Ah, I think I understand. That error message is coming from ssh itself. So this isn't a problem with how PAM modules are called, but rather apparently a problem with the logging code in sshd itself in the case of privilege separation. You don't get the failure message generated internally by sshd when the account stack fails. I did double-check the pam_unix source code and indeed it just exits with a failure status but reports no error messages at all if the user isn't listed in /etc/shadow. I think that's probably also a bug in pam. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
