I run
ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019
on
lsb_release -rd
Description: openSUSE Leap 15.1
Release: 15.1
as well as a # of TW instances.
Every time I ssh to a remote, e.g.
whoami
pgnd
ssh -F /etc/ssh/ssh_config -l root remote.example.com
the remote syslog gets spammed with,
Aug 12 12:18:07 remote sshd[6608]: Accepted publickey for root from 10.10.10.66 port 30518 ssh2: ED25519 SHA256:i0...yY
Aug 12 12:18:08 remote sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/gcc
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
Aug 12 12:18:08 remote sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/g++
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
Aug 12 12:18:08 remote sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/gcc-9 /usr/bin/cc
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
Aug 12 12:18:08 remote sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/g++-9 /usr/bin/c++
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
Aug 12 12:18:08 remote sudo: root : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/bin/ln -sf /usr/bin/cpp-9 /usr/bin/cpp
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Aug 12 12:18:08 remote sudo: pam_unix(sudo:session): session closed for user root
This
***How to stop sudo PAM messages in auth.log for a specific user?***
https://unix.stackexchange.com/questions/224370/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user
, for Debian, suggests shutting-up the pam_unix sudo spam with an edit to
/etc/pam.d/sudo
...
+ session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = zabbix
session required pam_unix.so:
...
on my boxes, the file’s got different content that Debian to start with,
/etc/pam.d/sudo
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so revoke
session include common-session
# session optional pam_xauth.so
where,
(a) it does NOT use Debian's "@include" syntax,
&
(b) there's no instance of "pam_unix.so"
On Leap/TW, what – specifically – needs to be added/changed it its pam config to similarly shut this log-spam up?