Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

  1. #1

    Question How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    I run
    Code:
        ssh -V
            OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019
    on
    Code:
        lsb_release -rd
            Description:    openSUSE Leap 15.1
            Release:        15.1
    as well as a # of TW instances.

    Every time I ssh to a remote, e.g.
    Code:
        whoami
            pgnd
        ssh -F /etc/ssh/ssh_config -l root remote.example.com
    the remote syslog gets spammed with,
    Code:
        Aug 12 12:18:07 remote sshd[6608]: Accepted publickey for root from 10.10.10.66 port 30518 ssh2: ED25519 SHA256:i0...yY
        Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
        Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
        Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
        Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
        Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
        Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    This

    How to stop sudo PAM messages in auth.log for a specific user?
    https://unix.stackexchange.com/quest...-specific-user

    , for Debian, suggests shutting-up the pam_unix sudo spam with an edit to
    Code:
        /etc/pam.d/sudo 
            ...
    +        session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = zabbix 
            session required pam_unix.so:
            ...
    on my boxes, the file's got different content that Debian to start with,
    Code:
        /etc/pam.d/sudo 
    
            #%PAM-1.0
            auth     include        common-auth
            account  include        common-account
            password include        common-password
            session  optional       pam_keyinit.so revoke
            session  include        common-session
            # session  optional       pam_xauth.so
    where,

    (a) it does NOT use Debian's "@include" syntax,

    &

    (b) there's no instance of "pam_unix.so"

    On Leap/TW, what -- specifically -- needs to be added/changed it its pam config to similarly shut this log-spam up?

  2. #2
    Join Date
    Sep 2012
    Posts
    4,972

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    What's the point of having user root to use sudo to run program as user root in the first place? You are fixing symptoms, not root cause.

  3. #3

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    As I'm not manually/intentionally invoking 'sudo' at any step of the way, I've no idea what point you're attempting to make.

    If you've got specific suggestions about whatever 'root cause', feel free to contribute them.

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,486
    Blog Entries
    15

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    Quote Originally Posted by pgnd View Post
    As I'm not manually/intentionally invoking 'sudo' at any step of the way, I've no idea what point you're attempting to make.

    If you've got specific suggestions about whatever 'root cause', feel free to contribute them.
    Hi
    This entry;

    Code:
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    Sure it's not some runaway script running as sudo somewhere (cron, systemd service etc), just happens to show when your logged in?

    Does it change if you login to the system as your user then use su - to switch to root?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #5

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    @malcolmlewis

    Sure it's not some runaway script running as sudo somewhere (cron, systemd service etc), just happens to show when your logged in?
    Nope, not *sure* at all ... but if it's cron-related & there, I haven't found it yet.

    These 'spammy' entries ONLY appear when I ssh into a box remotely.

    And, it's happening on all my boxes, so it's consistent, at least ...

    Does it change if you login to the system as your user then use su - to switch to root?
    If I connect remotely as 'user' (eg, "pgnd"), not 'root', the remote's logs still get the same entries, with just the user changed ...
    Code:
    Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session closed for user root
    THEN, if on remote I exec,
    Code:
    su - 
    Password: ######
    I *additionally* get, another batch, with "uid=" changed, as well, for the session open
    Code:
    Aug 12 16:35:39 remote su: (to root) pgnd on pts/5 
    Aug 12 16:35:39 remote su: pam_unix(su-l:session): session opened for user root by pgnd(uid=1000) 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++ 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++ 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root
    the 'gcc' lines are a head-scratcher for me, too ...

  6. #6
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,642
    Blog Entries
    14

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    Eh, you posted here and tagged with Tumbleweed. Now your first post says Leap 15.1 ....... Which one is it? Please show
    Code:
    zypper lr -d
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  7. #7
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,486
    Blog Entries
    15

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    Quote Originally Posted by pgnd View Post
    @malcolmlewis



    Nope, not *sure* at all ... but if it's cron-related & there, I haven't found it yet.

    These 'spammy' entries ONLY appear when I ssh into a box remotely.

    And, it's happening on all my boxes, so it's consistent, at least ...



    If I connect remotely as 'user' (eg, "pgnd"), not 'root', the remote's logs still get the same entries, with just the user changed ...
    Code:
    Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session closed for user root
    THEN, if on remote I exec,
    Code:
    su - 
    Password: ######
    I *additionally* get, another batch, with "uid=" changed, as well, for the session open
    Code:
    Aug 12 16:35:39 remote su: (to root) pgnd on pts/5 
    Aug 12 16:35:39 remote su: pam_unix(su-l:session): session opened for user root by pgnd(uid=1000) 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++ 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++ 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
    Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
    Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root
    the 'gcc' lines are a head-scratcher for me, too ...
    Hi
    Something in root's .profile or .bashrc running?

    Run fgrep and look for the ln command... there is something lurking for sure.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  8. #8

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    Eh, you posted here and tagged with Tumbleweed. Now your first post says Leap 15.1 ....... Which one is it?
    RTOP,
    > as well as a # of TW instances.
    Something in root's .profile or .bashrc running?
    That makes sense ... didn't see it there 1st go'round.

    Looking again ...

  9. #9

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    @malcomlewis

    there is something lurking for sure.
    bingo!

    needed to look deeper; initial grep on just the top .bashrc/.profile didn't find 'em.

    found gcc* symlinks inlcuded from some buried alternatives setup files in /etc/profile.d/.

    bad/old ansible script put 'em in the wrong place; that 'stuff' should be once-on-startup, not per-login.

    moved it, and now, on ssh login, no more gcc-related whining -- which makes sense.
    so yay!

    ALSO, no more pam_unix/session entries in logs (so far ...); I'll admit not being clear yet on why those^^ are related to the ln-'lurkers'.

    TA for the find.

  10. #10
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,486
    Blog Entries
    15

    Default Re: How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

    Quote Originally Posted by pgnd View Post
    @malcomlewis



    bingo!

    needed to look deeper; initial grep on just the top .bashrc/.profile didn't find 'em.

    found gcc* symlinks inlcuded from some buried alternatives setup files in /etc/profile.d/.

    bad/old ansible script put 'em in the wrong place; that 'stuff' should be once-on-startup, not per-login.

    moved it, and now, on ssh login, no more gcc-related whining -- which makes sense.
    so yay!

    ALSO, no more pam_unix/session entries in logs (so far ...); I'll admit not being clear yet on why those^^ are related to the ln-'lurkers'.

    TA for the find.
    Hi
    Glad it's all sorted, enjoy
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •