How to correctly shut-up "pam_unix(sudo:session)" syslog spam?

English Install/Boot/Login
1

I run


    ssh -V
        OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019

on


    lsb_release -rd
        Description:    openSUSE Leap 15.1
        Release:        15.1

as well as a # of TW instances.

Every time I ssh to a remote, e.g.


    whoami
        pgnd
    ssh -F /etc/ssh/ssh_config -l root remote.example.com

the remote syslog gets spammed with,


    Aug 12 12:18:07 remote sshd[6608]: Accepted publickey for root from 10.10.10.66 port 30518 ssh2: ED25519 SHA256:i0...yY
    Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
    Aug 12 12:18:08 remote sudo:     root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
    Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root

This

***How to stop sudo PAM messages in auth.log for a specific user?***
https://unix.stackexchange.com/questions/224370/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user

, for Debian, suggests shutting-up the pam_unix sudo spam with an edit to


    /etc/pam.d/sudo 
        ...
+        session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = zabbix 
        session required pam_unix.so:
        ...

on my boxes, the file’s got different content that Debian to start with,


    /etc/pam.d/sudo 

        #%PAM-1.0
        auth     include        common-auth
        account  include        common-account
        password include        common-password
        session  optional       pam_keyinit.so revoke
        session  include        common-session
        # session  optional       pam_xauth.so

where,

(a) it does NOT use Debian's "@include" syntax,

&

(b) there's no instance of "pam_unix.so"

On Leap/TW, what – specifically – needs to be added/changed it its pam config to similarly shut this log-spam up?

2

What’s the point of having user root to use sudo to run program as user root in the first place? You are fixing symptoms, not root cause.

3

As I’m not manually/intentionally invoking ‘sudo’ at any step of the way, I’ve no idea what point you’re attempting to make.

If you’ve got specific suggestions about whatever ‘root cause’, feel free to contribute them.

4

Hi
This entry;


Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root

Sure it’s not some runaway script running as sudo somewhere (cron, systemd service etc), just happens to show when your logged in?

Does it change if you login to the system as your user then use su - to switch to root?

5

@malcolmlewis

Sure it’s not some runaway script running as sudo somewhere (cron, systemd service etc), just happens to show when your logged in?

Nope, not sure at all … but if it’s cron-related & there, I haven’t found it yet.

These ‘spammy’ entries ONLY appear when I ssh into a box remotely.

And, it’s happening on all my boxes, so it’s consistent, at least …

Does it change if you login to the system as your user then use su - to switch to root?

If I connect remotely as ‘user’ (eg, “pgnd”), not ‘root’, the remote’s logs still get the same entries, with just the user changed …


Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:31:07 remote sudo: pam_unix(sudo:session): session closed for user root

THEN, if on remote I exec,


su - 
Password: ######

I additionally get, another batch, with “uid=” changed, as well, for the session open


Aug 12 16:35:39 remote su: (to root) pgnd on pts/5 
Aug 12 16:35:39 remote su: pam_unix(su-l:session): session opened for user root by pgnd(uid=1000) 
Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++ 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++ 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root 
Aug 12 16:35:40 remote sudo:     root : TTY=pts/5 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session opened for user root by pgnd(uid=0) 
Aug 12 16:35:40 remote sudo: pam_unix(sudo:session): session closed for user root

the ‘gcc’ lines are a head-scratcher for me, too …

6

Eh, you posted here and tagged with Tumbleweed. Now your first post says Leap 15.1 … Which one is it? Please show

zypper lr -d
7

Hi
Something in root’s .profile or .bashrc running?

Run fgrep and look for the ln command… there is something lurking for sure.

8

Eh, you posted here and tagged with Tumbleweed. Now your first post says Leap 15.1 … Which one is it?

RTOP,

> as well as a # of TW instances.

Something in root’s .profile or .bashrc running?

That makes sense … didn’t see it there 1st go’round.

Looking again …

9

@malcomlewis

there is something lurking for sure.

bingo!

needed to look deeper; initial grep on just the top .bashrc/.profile didn’t find 'em.

found gcc* symlinks inlcuded from some buried alternatives setup files in /etc/profile.d/.

bad/old ansible script put 'em in the wrong place; that ‘stuff’ should be once-on-startup, not per-login.

moved it, and now, on ssh login, no more gcc-related whining – which makes sense.
so yay!

ALSO, no more pam_unix/session entries in logs (so far …); I’ll admit not being clear yet on why those^^ are related to the ln-‘lurkers’.

TA for the find.

10

Hi
Glad it’s all sorted, enjoy :slight_smile:

11

That seems familiar.

I suspect that it is just the systemd entry on the PAM stack, with perhaps the bug (kwallet_pam messes with sudo) also involved.

It doesn’t happen here, mainly because I modified “/etc/ssh/sshd_config”, changing

UsePAM yes

back to the openssh default of

#UsePAM no