From owner-freebsd-stable@FreeBSD.ORG Sun Jan 30 08:44:01 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9CC716A4CE for ; Sun, 30 Jan 2005 08:44:01 +0000 (GMT) Received: from pop-a065c28.pas.sa.earthlink.net (pop-a065c28.pas.sa.earthlink.net [207.217.121.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77F6F43D1D for ; Sun, 30 Jan 2005 08:44:01 +0000 (GMT) (envelope-from andrei@kableu.com) Received: from h-69-3-28-65.snvacaid.dynamic.covad.net ([69.3.28.65] helo=mail.kableu.com) by pop-a065c28.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CvAgb-0002ud-00 for freebsd-stable@freebsd.org; Sun, 30 Jan 2005 00:44:01 -0800 Received: from warrior.kableu.com (warrior.kableu.com [192.168.0.1]) by mail.kableu.com (Postfix) with ESMTP id DADCFC0DB for ; Sun, 30 Jan 2005 00:44:00 -0800 (PST) Received: by warrior.kableu.com (Postfix, from userid 1001) id 1A18411445; Sun, 30 Jan 2005 00:44:00 -0800 (PST) Date: Sun, 30 Jan 2005 00:43:59 -0800 From: Andrew Konstantinov To: freebsd-stable@freebsd.org Message-ID: <20050130084359.GA36069@warrior.kableu.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: 5.3 -> 5 : sshd multiple log entries & login_getclass: unknown class 'root' X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jan 2005 08:44:02 -0000 --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, As the topic says, I've experienced some unusual sshd behavior after I moved some of my systems from RELENG_5_3 to RELENG_5 recently. The unusuality of = the behavior is illustrated by the following exerpt from the /var/log/auth.log = on the RELENG_5 system: Jan 29 14:53:38 mail sshd[699]: login_getclass: unknown class 'root' Jan 29 14:53:38 mail last message repeated 3 times Jan 29 14:53:38 mail sshd[699]: Accepted publickey for root from 192.168.0.= 1 port 60094 ssh2 Jan 29 14:53:38 mail sshd[698]: Accepted publickey for root from 192.168.0.= 1 port 60094 ssh2 Jan 29 15:32:15 mail sshd[836]: login_getclass: unknown class 'root' Jan 29 15:32:15 mail last message repeated 3 times Jan 29 15:32:15 mail sshd[836]: Accepted publickey for root from 192.168.0.= 1 port 53837 ssh2 Jan 29 15:32:15 mail sshd[835]: Accepted publickey for root from 192.168.0.= 1 port 53837 ssh2 Jan 29 16:40:16 mail sshd[1034]: login_getclass: unknown class 'root' Jan 29 16:40:16 mail last message repeated 3 times Jan 29 16:40:16 mail sshd[1034]: Accepted publickey for root from 192.168.0= .1 port 54714 ssh2 Jan 29 16:40:16 mail sshd[1033]: Accepted publickey for root from 192.168.0= .1 port 54714 ssh2 Jan 29 17:10:27 mail sshd[1125]: login_getclass: unknown class 'root' Jan 29 17:10:27 mail last message repeated 3 times Jan 29 17:10:27 mail sshd[1125]: Accepted publickey for root from 192.168.0= .1 port 54337 ssh2 Jan 29 17:10:27 mail sshd[1124]: Accepted publickey for root from 192.168.0= .1 port 54337 ssh2 All of the systems have login.conf which contains entry for a root class. I= 've rebuild the login.conf.db database to make sure that it's not a filesystem glitch and even copied the default login.conf from /usr/src followed by rebuilding the login.conf.db database, but none of that helped. The manual = page for the login_getclassbyname() explicitely states: In addition, if the referenced user has a UID of 0 (normally, "root", alt= hough the user name is not considered) then login_getpwclass() will search for a record with an id of "root" before it searches for the record with the = id of "default". So, the "root" entry IS there but for some reason either sshd is being bugg= y or login_getclassbyname() is behaving strangely because as far as I know this shouldn't be happening. Also, for some reason, for each successful login attempt there are two identical entries apparently made by two different instances/fork's of sshd since they have different PID's. This started happening the same time when = the first problem appeared, which is after recent upgrade from RELENG_5_3 to RELENG_5. I've taken a diff between RELENG_5_3 and RELENG_5 but didn't find any obvio= us changes that could have led to this unusual situation. I guess that only somewhat related change could be the addition of "logpriv" mechanism for protection against consequences of syslogd flooding. To convince myself that all of this is specific to RELENG_5_3 -> RELENG_3 upgrade, I've just reversed one of the systems back to RELENG_5_3 and all of the above mentioned problems have disappeared. All of the upgrades and downgrades have been accompanied with mergemaster. Some addition info about the "mail" system above: mail# uname -rs FreeBSD 5.3-STABLE mail# grep ssh /etc/rc.conf sshd_enable=3D"YES" mail# grep syslog /etc/rc.conf syslogd_flags=3D"-4 -s -b 192.168.0.7" mail# grep root /etc/master.passwd | head -1 root:*:0:0::0:0:Andrew Konstantinov:/root:/bin/csh mail# grep -EA 3 '^root:\\' /etc/login.conf root:\ :ignorenologin:\ :tc=3Ddefault: mail#=20 Am I missing something obvious here? Any pointes on debugging this? Please,= let me know if additional info is needed. Thanks, Andrew --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB/J5Pg+6MtxSjexcRAsIsAJ9Y/yTKHxQnVGtYzbd4Ytk3yPpJVQCg1BIr xuVx7TyQIVPRCGPUYvTUHgc= =LD8L -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC--