double entries in the /var/log/secure file - 1=local time, 2=GMT time - SSH

This is a discussion on double entries in the /var/log/secure file - 1=local time, 2=GMT time - SSH ; Why do you think this could be happening....? Jul 4 00:28:29 raos sshd[10770]: Accepted publickey for mort from ::ffff:xx.xx.xx.250 port 3285 ssh2 Jul 3 17:28:29 raos sshd[10769]: Accepted publickey for mort from ::ffff:xx.xx.xx.250 port 3285 ssh2 Jul 4 00:28:32 raos ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: double entries in the /var/log/secure file - 1=local time, 2=GMT time

  1. double entries in the /var/log/secure file - 1=local time, 2=GMT time

    Why do you think this could be happening....?

    Jul 4 00:28:29 raos sshd[10770]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3285 ssh2
    Jul 3 17:28:29 raos sshd[10769]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3285 ssh2
    Jul 4 00:28:32 raos sshd[10791]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3287 ssh2
    Jul 3 17:28:32 raos sshd[10790]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3287 ssh2
    Jul 4 00:28:34 raos sshd[10811]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3289 ssh2
    Jul 3 17:28:34 raos sshd[10810]: Accepted publickey for mort from
    ::ffff:xx.xx.xx.250 port 3289 ssh2


    This is coming from a cygwin script using rsync on a WinXP box to
    a RedHat Linux box.......

    I've tried flipping off various /etc/ssh/sshd_config authentication
    methods, but
    the result was either the message changed or the script failed entirely,....



    thanks ahead of time

    dmc





  2. Re: double entries in the /var/log/secure file - 1=local time, 2=GMT time

    On 2007-07-04, david wrote:
    > Why do you think this could be happening....?
    >
    > Jul 4 00:28:29 raos sshd[10770]: Accepted publickey for mort from
    >::ffff:xx.xx.xx.250 port 3285 ssh2
    > Jul 3 17:28:29 raos sshd[10769]: Accepted publickey for mort from
    >::ffff:xx.xx.xx.250 port 3285 ssh2

    [...]
    > I've tried flipping off various /etc/ssh/sshd_config authentication
    > methods, but
    > the result was either the message changed or the script failed entirely,....


    There's one message from the privsep monitor (privileged process) and one
    from the slave (unprivileged process which is chrooted to /var/empty).
    The one in GMT is from the unprivileged process, because it doesn't have
    access to /etc/localtime to convert whatever is in your $TZ environment
    variable into its GMT offset.

    This must be a relatively old version because it was fixed in (I think)
    OpenSSH 4.3 or so.

    Your options are:
    a) upgrade
    b) "UsePrivilegeSeparation no" in sshd_config
    c) remove the the logging socket from the chroot (/var/empty/dev/log)
    d) copy /etc/localtime into the chroot (/var/empty/etc/localtime).

    a & b will stop it from happening, although with b you will also lose
    the protection offered by privsep. c will stop *all* logging from the
    privsep slave. d won't stop the log messages, but they should have the
    correct offset from GMT.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: double entries in the /var/log/secure file - 1=local time, 2=GMT time

    Thanks Darren.....

    david


    >> Jul 4 00:28:29 raos sshd[10770]: Accepted publickey for mort from
    >>::ffff:xx.xx.xx.250 port 3285 ssh2
    >> Jul 3 17:28:29 raos sshd[10769]: Accepted publickey for mort from
    >>::ffff:xx.xx.xx.250 port 3285 ssh2

    > [...]
    >> I've tried flipping off various /etc/ssh/sshd_config authentication
    >> methods, but
    >> the result was either the message changed or the script failed
    >> entirely,....

    >
    > There's one message from the privsep monitor (privileged process) and one
    > from the slave (unprivileged process which is chrooted to /var/empty).
    > The one in GMT is from the unprivileged process, because it doesn't have
    > access to /etc/localtime to convert whatever is in your $TZ environment
    > variable into its GMT offset.
    >
    > This must be a relatively old version because it was fixed in (I think)
    > OpenSSH 4.3 or so.
    >
    > Your options are:
    > a) upgrade
    > b) "UsePrivilegeSeparation no" in sshd_config
    > c) remove the the logging socket from the chroot (/var/empty/dev/log)
    > d) copy /etc/localtime into the chroot (/var/empty/etc/localtime).
    >
    > a & b will stop it from happening, although with b you will also lose
    > the protection offered by privsep. c will stop *all* logging from the
    > privsep slave. d won't stop the log messages, but they should have the
    > correct offset from GMT.
    >
    > --
    > Darren Tucker (dtucker at zip.com.au)
    > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    > Good judgement comes with experience. Unfortunately, the experience
    > usually comes from bad judgement.




+ Reply to Thread