1

We have successfully setup ssh daemon with LDAP authentication on CentOS 7.

But there are weird log messages in /var/log/secure even the user successfully login ( first line ) :

Dec  5 08:28:13 HOSTNAME.SERVER sshd[11195]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=HOSTNAME.CLIENT  user=USERNAME
Dec  5 08:28:13 HOSTNAME.SERVER sshd[11195]: Accepted password for USERNAME from IP.CLIENT port 25423 ssh2
Dec  5 08:28:13 HOSTNAME.SERVER sshd[11195]: pam_unix(sshd:session): session opened for user USERNAME by (uid=0)

How can we suppress the "authentication failure" log ?

Here are our setting files which we guess as related:

/etc/pam.d/system-auth-ac

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

/etc/pam.d/password-auth-ac

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
Joe Horn
  • 152
  • 8

1 Answers1

1

According Red Hat KB article 881103

This is expected behaviour from pam_unix and the message is normal and harmless.

There is no configuration option within pam_unix to stop logging those messages.

The default pam configuration tries to authenticate a user using pam_unix first, then using pam_ldap.so module if authentication with pam_unix is failed.

The article will also show a possible configuration change if you like to remove these default failures errors from logging.

U880D
  • 1,017
  • 2
  • 12
  • 18
  • 2
    Since the question specifically asks how to supress the log messages, rather than whether the behavior is normal, you should include _how_ to do that rather than making this essentially a "link only" answer, which, due to link rot, is frowned upon at ServerFault – Colt Jan 04 '18 at 16:35