Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSHD not logging a thing...

6 views
Skip to first unread message

Jim C.

unread,
Sep 12, 2001, 10:56:39 PM9/12/01
to
Could really use someone's expertise.

Just recently combilied and installed openssh-2.9p2 and openssl-0.9.5a
into a RHL6.1 server.

After a lot of headaches I am able to log into the server, but there
are no messages recorded in any logs.

I was at one point getting errors about /var/log/lastlog when logging
in, however this was resolved by adding the line "auth.*
/var/log/lastlog/" in syslog.conf. This created the file and there
have been no problems.

HOWEVER, no messages are being logged anywhere regarding someone
signing into the server using ssh. I was also having problems with
using /etc/rc.d/init.d/sshd start function. Kept getting
configuration errors about the loglevel keyword. I have since
commented those lines out in order to start/stop sshd that way.

When I was starting sshd from the command line and directing it to the
configuration file (with Syslog facility and Loglevel uncommented)
with the -f option I never received an error, but at the same time
nothing was ever logged.

Does anyone have any ideas? Your help would be greatly appreciated.

Thanks
JIM

Richard E. Silverman

unread,
Sep 13, 2001, 12:43:15 AM9/13/01
to
>>>>> "Jim" == Jim C <gaij...@hotmail.com> writes:

Jim> I was at one point getting errors about /var/log/lastlog when
Jim> logging in, however this was resolved by adding the line "auth.*
Jim> /var/log/lastlog/" in syslog.conf. This created the file and
Jim> there have been no problems.

Except that now you're dumping text syslog messages into the system
lastlog file. This is not right.

Jim> Kept getting configuration errors about the loglevel keyword. I
Jim> have since commented those lines out in order to start/stop sshd
Jim> that way.

Well, the sshd man page says explicitly what is allowed as an argument to
LogLevel. What do you have? Does it match what's allowed?

Anyway, the default for sshd syslog messages (also documented) is
auth.info. They would normally go wherever you've set syslogd to put such
messages. However, you've told it to put them in a file already used for
something else. If you've been looking in that file, it's possible that
those messages are getting overwritten when the file is truncated by the
login program.

--
Richard Silverman
sl...@shore.net

Jim C.

unread,
Sep 13, 2001, 9:10:41 PM9/13/01
to
Richard, thanks for the message.

The following is the sshd_config file that I have been going with:
# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
Protocol 1,2
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
#X11Forwarding no
#X11DisplayOffset 10
#PrintMotd no
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys
# in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of
'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

CheckMail no
UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/local/libexec/sftp-server
#
#
#

However like I said I get errors when I use /etc/rc.d/init.d/sshd
start:

Starting sshd:/etc/sshd_config line 9: Bad configuration option:
protocol
Starting sshd:/etc/sshd_config line 33: Bad configuration option:
loglevel
Starting sshd:/etc/sshd_config line 72: Bad configuration option:
subsystem

I went in and commented out each line in the ssdh_config file. After
which I am able to get the ssh daemon up and running.

Here's the original syslog.conf I have reverted back to:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none
/var/log/messages

# The authpriv file has restricted access.
authpriv.*
/var/log/secure

# Log all the mail messages in one place.
mail.*
/var/log/maillog

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *

# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit
/var/log/spooler

# Save boot messages also to boot.log
local7.*
/var/log/boot.log

#
# INN
#
news.=crit
/var/log/news/news.crit
news.=err
/var/log/news/news.err
news.notice
/var/log/news/news.notice
#
#

However, nothing gets logged. Obviously, cause of the loglevel being
commented out.

I tried starting the ssh daemon from the command line using
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config and received no
errors of bad command lines which I had uncommented. But again
nothing logged in the messages log.

I can't figure this out. I'm almost thinking of deleting all the
files and starting from scratch. Any ideas how I can avoid this?
Thanks for the help.

Jim

Pierre Klovsjo

unread,
Sep 18, 2001, 4:46:56 AM9/18/01
to
gaij...@hotmail.com (Jim C.) wrote in message news:<8199a005.01091...@posting.google.com>...

Hi Jim ,

Not sure that you are up and running with your SSH logging yet.
But if you are not here are som config's from my Solaris
machine wich work's fine for and me should work with another
flavor as well *hopefully*.

In sshd_config file i have SYSLOGFACILITY DAEMON you might want to use AUTH
just try which ever works and in syslog.conf i have auth.debug /var/log/ssh.log
It's my own machine so that means i'm just fooling around
with the logging part. If you would like to log to a different
machine just add into your syslog.conf file auth.debug @loghost2
where @loghost2 i defined in /etc/hosts and in that machines syslog.conf
you have auth.debug /var/log/syslog or what ever.

Hope that this solves your problem or get you closer solving it.

Cheers ,

Pierre

0 new messages