[Logcheck-devel] Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule
Elmar Hoffmann
elho at elho.net
Sun Jan 20 02:10:13 UTC 2008
Hi,
on Fri, Sep 28, 2007 at 17:18:33 -0400, Frédéric Brière wrote:
> This reflects the change that occurred in pam_unix in September 2005,
> where the logging went from "(pam_unix)" to "pam_unix(ssh:auth)". This
> was already done in the second auth.fail rule, but not in the first,
> hence this report.
Looking at those two lines, they could just be different versions of
the same thing, here are the commented differences:
* the second omits the PID of the ssh daemon - mistake or did older
messages look like that? (the ones I see do have the PID)
* the second does use the new PAM format - but does the part after
ssh: really need to match anything but auth?
* the first uses tty=ssh (which I do see in current mesages) if the
second form with the empty tty also currently exists, a tty=(ssh)?
won't hurt
* the first uses much wider (just any non-space char) patterns for
rhost= and user=
* the first makes the user= part optional, I see that in current
messages
elmar
--
.'"`. /"\
| :' : Elmar Hoffmann <elho at elho.net> ASCII Ribbon Campaign \ /
`. `' GPG key available via pgp.net against HTML email X
`- & vCards / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080120/039a69bc/attachment.pgp
More information about the Logcheck-devel
mailing list