| View previous topic :: View next topic |
| Author |
Message |
Philippe23
Tux's lil' helper
Joined: 20 Dec 2006
Posts: 130
Location: Central NY
|
 Posted: Sun Jul 16, 2023 11:46 am Post subject: PAM "logname=" documentation? |
 |
|
For as long as I can remember PAM failures in my logs have had "logname=" with no value. In the last few days, they suddenly have started having a value of my non-admin username and I'm confused what's changed. (It's also not the username that's being used to authenticate with PAM.)
Does anyone know where I can find documentation about the various PAM log fields?
Unfortunately, Google searches find a lot of noise since "PAM" "log" and even "logname=" just find people asking about why their PAM-using various services are failing.
Thanks! |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Jul 16, 2023 2:33 pm Post subject: |
|
|
You can find them mostly in
/var/log/auth.log
or your DM log.
The format is simple
Date/Time Hostname Command Message
I find no log in /var/log containing the string "logname="
Can you plz post one of the offending log entries and the log file it came from?
_________________
 |
|
| Back to top |
|
|
Philippe23
Tux's lil' helper
Joined: 20 Dec 2006
Posts: 130
Location: Central NY
|
| Posted: Sun Jul 16, 2023 4:37 pm Post subject: |
|
|
From my syslog-ng's /var/log/messages (with my username replaced with "my_user_name"):
| Code: | | Jul 15 22:55:34 kant sshd[12713]: pam_unix(sshd:auth): authentication failure; logname=my_user_name uid=0 euid=0 tty=ssh ruser= rhost=106.51.48.110 |
With more surrounding context, which shows the actual username that's attempting to authenticate is "support", which is an invalid user because my machine does not have such an account:
| Code: | Jul 15 22:55:33 kant sshd[12713]: pam_faillock(sshd:auth): User unknown
Jul 15 22:55:33 kant sshd[12710]: Postponed keyboard-interactive for invalid user support from 106.51.48.110 port 44056 ssh2 [preauth]
Jul 15 22:55:34 kant sshd[12713]: pam_unix(sshd:auth): check pass; user unknown
Jul 15 22:55:34 kant sshd[12713]: pam_unix(sshd:auth): authentication failure; logname=my_user_name uid=0 euid=0 tty=ssh ruser= rhost=106.51.48.110
Jul 15 22:55:34 kant sshd[12713]: pam_faillock(sshd:auth): User unknown
Jul 15 22:55:36 kant sshd[12710]: error: PAM: Authentication failure for illegal user support from 106.51.48.110
Jul 15 22:55:36 kant sshd[12710]: Failed keyboard-interactive/pam for invalid user support from 106.51.48.110 port 44056 ssh2
|
Again, I'm just trying to find documentation about the logname= field. It's always been empty before. I have similar entries for my smtp service as well, so it's not specific to sshd. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Sun Jul 16, 2023 5:38 pm Post subject: |
|
|
I think this only appears when logging sshd failed attempts.
Plain syslog registers then in auth.log.
Your syslog-ng prefers "messages".
LOGNAME= i think refers NOT to a particular log but as to which user the terminal belonged before changing to root.
_________________
|
|
| Back to top |
|
|
|
Networking & Security
