Oktober 2022
Mo	Di	Mi	Do	Fr	Sa	So
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

tuxad blog

Syndicate

Site (RSS, Atom)

Contact

Weblog status

Total entries: 78
Last entry: 2022-10-16 13:52:24
Last updated: 2022-10-16 14:12:58

2014-07-02 21:03:25

Disable ssh session logging for specific user

A common problem for many users is a growing log file when you have many automated ssh logins. In this case you have hundreds or thousands lines like...

su: pam_unix(su:session): session opened for user ZZ
su: pam_unix(su:session): session closed for user ZZ

... in your log. Here is an example line count of a Red Hat / CentOS / Fedora system:

bash-3.2# grep -c " session " /var/log/secure
555706

If you search the net you will find many articles and posts with many tips, how to configure the level of syslog, how to configure sshd, use file attributes to set the log immutable and more crazy stuff.

Actually most modern linux system use PAM and as you see in the log line it is a session log of the module pam_unix. PAM is widely configurable and to exclude on specific user from session logging you just need to add one line to the session handling with pam_unix (example suitable for RH systems):

bash-3.2# diff -u /etc/pam.d.OFF/system-auth \
                  /etc/pam.d/system-auth
--- /etc/pam.d.OFF/system-auth  2007-05-30 11:34:27.00 +0200
+++ /etc/pam.d/system-auth      2014-07-02 20:31:55.00 +0200
@@ -14,4 +14,5 @@
 session optional pam_keyinit.so revoke
 session required pam_limits.so
 session ... pam_succeed_if.so service in \
                               crond quiet use_uid
+session [success=1 default=ignore] pam_succeed_if.so \
                               quiet uid eq 333
 session required pam_unix.so

With this patch the session logging for the user with UID 333 is disabled.

This is a similar patch for Debian:

--- /etc/OFF/common-session   2012-12-17 16:41:39.00 +0100
+++ /etc/pam.d/common-session 2014-09-16 02:07:35.00 +0200
@@ -20,6 +20,7 @@
 # this avoids us returning an error just because nothing...
 # since the modules above will each just jump around
 session        required                        pam_permit.so
+session [success=done default=ignore] pam_succeed_if.so \
                                       quiet uid eq 333
 # and here are more per-package modules (the "...
 session        required        pam_unix.so 
 session        optional        pam_ck_connector.so nox11

(Update 2014-09-29: fixed uploaded wrong patch, added debian patch)

Posted by Frank W. Bergmann | Permanent link | File under: ssh, logging