Hi, on Fri, Sep 28, 2007 at 17:18:33 -0400, Frédéric Brière wrote:
> This reflects the change that occurred in pam_unix in September 2005, > where the logging went from "(pam_unix)" to "pam_unix(ssh:auth)". This > was already done in the second auth.fail rule, but not in the first, > hence this report. Looking at those two lines, they could just be different versions of the same thing, here are the commented differences: * the second omits the PID of the ssh daemon - mistake or did older messages look like that? (the ones I see do have the PID) * the second does use the new PAM format - but does the part after ssh: really need to match anything but auth? * the first uses tty=ssh (which I do see in current mesages) if the second form with the empty tty also currently exists, a tty=(ssh)? won't hurt * the first uses much wider (just any non-space char) patterns for rhost= and user= * the first makes the user= part optional, I see that in current messages elmar -- .'"`. /"\ | :' : Elmar Hoffmann <[EMAIL PROTECTED]> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \
signature.asc
Description: Digital signature
