openssh bugs - Jan 2005 - [Bug 973] sshd behaves differently while doing syslog entries for tcpwrappers denied message, with -r and without -r option.

http://bugzilla.mindrot.org/show_bug.cgi?id=973

           Summary: sshd behaves differently while doing syslog entries for
                    tcpwrappers denied message, with -r and without -r
                    option.
           Product: Portable OpenSSH
           Version: 3.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: logsnaath at gmx.net
   Estimated Hours: 0.00


When sshd is run without -r option the syslog messages from tcpwrappers denied 
message are not written to the configured syslog file. This happens when syslog
facility is given as local7 and the level is given as info in the sshd
configuration file



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From dtucker at zip.com.au  2005-01-17 15:29 -------
Created an attachment (id=769)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=769&action=view)
reinit log after receiving config after reexec

I think I see the problem: when reexec is enabled, log_init() is called before
recv_rexec_state() and load_server_config(), so the log will be pointing to
whatever the default is.

Please try this patch.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #769 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2005-01-17 15:34 -------
Created an attachment (id=770)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=770&action=view)
reinit log after reexec, take 2

Please try this one instead, it should also work when the log params are left
unset.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |914
              nThis|                            |
             Status|NEW                         |ASSIGNED
           Keywords|                            |openbsd, patch





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-17 21:55 -------
I tried both the patches but still the log messages of tcp wrapper are not 
written to configured syslog file. 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From dtucker at zip.com.au  2005-01-17 22:03 -------
What platform (and version) are you seeing the problem on ?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-17 22:47 -------
OpenSSH Version : 3.9p1
Platform :  Fedora core 2
kernel : 2.6.5-1.358




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From dtucker at zip.com.au  2005-01-17 23:11 -------
Which message is missing?  Is it this one:
sshd: refused connect from [foo] ?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-17 23:39 -------
I have these two entries in /etc/syslog.conf
local7.info                                             /var/log/ssh.log
*.info;mail.none;authpriv.none;cron.none;local7.none    /var/log/messages

The message "sshd: refused connect from [foo]" appears in
/var/log/messages but
not in /var/log/ssh.log.

But when sshd is run with -r option the message goes to /var/log/ssh.log alone



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From dtucker at zip.com.au  2005-01-17 23:48 -------
What do you have SyslogFacility and LogLevel set to in sshd_config? 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-18 00:30 -------
my /etc/sshd_config file has
SyslogFacility LOCAL7
LogLevel INFO





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #770 is|0                           |1
           obsolete|                            |




------- Additional Comments From dtucker at zip.com.au  2005-01-19 19:22 -------
Created an attachment (id=772)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=772&action=view)
reinit log after reexec, take 3

OK, I think I have it: log_init doesn't get called correctly at the point
refuse() is called, so the messages get sent to the wrong place.

Please try this patch.	If it works I'll dig out my ouija board and try to
determine how it's supposed to work when reexec is enabled :-)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-19 21:28 -------
I tried the patch 3, but still the problem persists. 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #772 is|0                           |1
           obsolete|                            |




------- Additional Comments From dtucker at zip.com.au  2005-01-19 22:51 -------
Created an attachment (id=773)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=773&action=view)
force log_init to reopen syslog

Sigh.  OK, new theory: although log_init has been called, openlog() hasn't
so
when libwrap calls syslog it still points to the default settings.

Since the log functions do openlog/closelog, logging *anything* means that it
will be pointing at the right place afterward (which meant that the debugging I
added while working on it that made the problem go away, not the alleged fixes.
 A neato Heisenbug).

Hopefully this patch will finally nail it; I mean, at some point I have to run
out of wrong ideas, right :-?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From logsnaath at gmx.net  2005-01-20 00:05 -------
Great. This patch worked. 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


atlunde at panix.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |atlunde at panix.com






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973





------- Additional Comments From dtucker at zip.com.au  2005-01-24 22:15 -------
*** Bug 948 has been marked as a duplicate of this bug. ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|openbsd                     |




------- Additional Comments From dtucker at zip.com.au  2005-01-24 23:47 -------
It appears that OpenBSD's libwrap (or, more likely, its syslog libraries)
are
not fooled so easily.  The refuse message always goes to the default log
(/var/log/messages on my box) and not to sshd's SyslogFacility, regardless
of
whether or not reexec is invoked and/or messages are logged before the refuse.

I suspect it boils down to what the OS does in this case:

openlog(..., int facility);
syslog(..., "message1");
closelog();
syslog(..., "message2");

It appears that on OpenBSD, message1 will go to different places if the facility
is set.  On other platforms, message2 will end up wherever message1 went (as you
saw).

The upshot is that if we're going to do something about it, it ought to be
-Portable only (new patch to follow).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #773 is|0                           |1
           obsolete|                            |




------- Additional Comments From dtucker at zip.com.au  2005-01-24 23:50 -------
Created an attachment (id=786)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=786&action=view)
force reopen of syslog (fixed for openlog_r too)

Force reopen of syslog, which should mean that behaviour should at least be
consistent on all platforms regardless of whether or not reexec is enabled. 
OK?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=973


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From dtucker at zip.com.au  2005-02-01 17:36 -------
Patch #786 committed.  Thanks for the report.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.