Juli 2014 Archives
2014-07-02 21:03:25
Disable ssh session logging for specific user
A common problem for many users is a growing log file when you have many automated ssh logins. In this case you have hundreds or thousands lines like...
su: pam_unix(su:session): session opened for user ZZ su: pam_unix(su:session): session closed for user ZZ
... in your log. Here is an example line count of a Red Hat / CentOS / Fedora system:
bash-3.2# grep -c " session " /var/log/secure 555706
If you search the net you will find many articles and posts with many tips, how to configure the level of syslog, how to configure sshd, use file attributes to set the log immutable and more crazy stuff.
Actually most modern linux system use PAM and as you see in the log line it is a session log of the module pam_unix. PAM is widely configurable and to exclude on specific user from session logging you just need to add one line to the session handling with pam_unix (example suitable for RH systems):
bash-3.2# diff -u /etc/pam.d.OFF/system-auth \ /etc/pam.d/system-auth --- /etc/pam.d.OFF/system-auth 2007-05-30 11:34:27.00 +0200 +++ /etc/pam.d/system-auth 2014-07-02 20:31:55.00 +0200 @@ -14,4 +14,5 @@ session optional pam_keyinit.so revoke session required pam_limits.so session ... pam_succeed_if.so service in \ crond quiet use_uid +session [success=1 default=ignore] pam_succeed_if.so \ quiet uid eq 333 session required pam_unix.so
With this patch the session logging for the user with UID 333 is disabled.
This is a similar patch for Debian:
--- /etc/OFF/common-session 2012-12-17 16:41:39.00 +0100 +++ /etc/pam.d/common-session 2014-09-16 02:07:35.00 +0200 @@ -20,6 +20,7 @@ # this avoids us returning an error just because nothing... # since the modules above will each just jump around session required pam_permit.so +session [success=done default=ignore] pam_succeed_if.so \ quiet uid eq 333 # and here are more per-package modules (the "... session required pam_unix.so session optional pam_ck_connector.so nox11
(Update 2014-09-29: fixed uploaded wrong patch, added debian patch)