Hello, I downloaded and compiled the Mar 2, 2005 snapshot and compiled it with bsm auditing for solaris turned on. I've been noticing about a dozen or so of the following messages per day now. Not sure exactly what it is, or if it is a big issue. Mar 3 13:46:10 machine_name sshd[15298]: [ID 800047 auth.crit] fatal: mm_request_send: write If it matters it is running on solaris 8 sparc, with pretty current patches applied. Thanks, Matt Goebel -- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating Furry Fan. "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Matt Goebel wrote:> I downloaded and compiled the Mar 2, 2005 snapshot and compiled it with > bsm auditing for solaris turned on. I've been noticing about a dozen or > so of the following messages per day now. Not sure exactly what it is, or > if it is a big issue. > > Mar 3 13:46:10 machine_name sshd[15298]: [ID 800047 auth.crit] fatal: mm_request_send: writeIf that message is preceded by "unpermitted request 56" or similar then I think I know what it is: something is causing an audit event before the monitor has allowed them. I suspect it's a connection that is disconnected without supplying a username, or which supplies a username but does not attempt any auth methods. Please try this patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-bsm-monitor.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050304/e34e833f/attachment.ksh
Matt Goebel wrote:> I downloaded and compiled the Mar 2, 2005 snapshot and compiled it with > bsm auditing for solaris turned on. I've been noticing about a dozen or > so of the following messages per day now. Not sure exactly what it is, or > if it is a big issue. > > [ID 800047 auth.crit] fatal: mm_request_send: writeI think I have figured out the cause of this one: it was trying to catch the connection close event during the cleanup, but by that time it may be too late as the monitor may already be shut down. If the monitor has already shut down then sending the request will fail causing the error you're seeing. Please try the attached patch (which should apply on top of the previous patch). I'll attach the patch to bug #125 too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-audit-close.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050305/279782ec/attachment.ksh
Maybe Matching Threads
- OpenSSH_4.3p1, OpenSSL 0.9.8a 11 Oct 2005 on solaris 8/9
- openssh-4.1p1.tar.gz.asc has bad signature?
- [Bug 125] add BSM audit support
- [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail
- [Bug 2] sshd should have BSM auditing on Solaris