[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

ssh log weirdness



I noticed while going over log entries that ssh seems to be logging
system access strangely.  I have a user with a account that has password
aging enabled:
"Chage -l userX" says the account will expire on Jan 12 2006.  While
looking at /var/log/messages and /var/log/secure I saw the following:

Jan 23 18:43:16 server sshd(pam_unix)[20699]: session opened for user
userX
by (uid=0)
Jan 23 18:43:16 server sshd(pam_unix)[20699]: session closed for user
userX
Jan 23 18:43:16 server sshd[20690]: Accepted password for userX from
xxx.xxx.xxx.xxx port 1512 ssh2

With password aging enabled, I don't see how this is possible.  Using
the "last" and "lastlog" commands it shows that this user last logged in
on Jan 12 2006.  Password aging definitely works, I tested it.  Anyone
have any ideas how this can happen?  It is interesting that the open and
close times are the same in /var/log/messages.  I have checked the
shadow and password file and all seems normal.  When I try to su to this
user from root it says the password is expired.  All seems normal except
for those log entries.

System runs Red Hat Enterprise Linux ES release 4

Thanks


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]