Bug#1021613: systemd: generates too much log for ssh connection
Michael Biebl
biebl at debian.org
Wed Oct 12 12:42:55 BST 2022
Am 12.10.22 um 13:15 schrieb Vincent Lefevre:
> On 2022-10-12 11:39:40 +0200, Michael Biebl wrote:
>> What you see here is expected behaviour:
>> Your login via SSH is apparently done via PAM, which triggers the start of a
>> systemd --user instance (with all that it entails). And systemd dutifully
>> logs everything when setting up that user instance (and tearing it down
>> again on log out).
>
> Well, the account was created by adduser with the --disabled-login
> option. So I wonder why a systemd --user instance is started.
disabled-login means disabled password. You can still log in as that
user via other means (su, sudo, SSH keys).
Which mechanism do you use?
>> If you generate lots of SSH logins via subversion, then this will generate
>> lots of log messages.
>
> Yes, this can happen several times per minute.
>
>> Maybe there is a way to use a more restricted environment/login shell for
>> subversion access which doesn't trigger PAM.
>
> According to what I've read on serverfault.com, it is discouraged
> to disable PAM (in particular, it is involved in authentication).
I wouldn't recommend disable PAM in SSH (I assume you meant "UsePAM no"
in sshd_config), but use a different login shell for subversion where
PAM is not involved or rather, which uses a custom PAM profile where you
can exclude pam_systemd.so.
>> If you don't want to constantly start/stop the user instance, you can also
>> use linger, so the user instance will stick around if you terminate your SSH
>> session.
>
> However, I suppose that this would take useless resources. IMHO,
> a systemd --user instance is not useful for such a user anyway
> (and perhaps pam_systemd is not needed in any case on this machine:
> this is just a personal VM, not a desktop machine, not a multi-user
> server, so I'm wondering what it is used for).
>
I don't really know your particular setup, so it's a bit hard to give
proper advice.
But if the user used for subversion access is not meant to be a
*regular* user but some kind of specialized (system) user, it could
indeed be an option to disable systemd --user for this particular user.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20221012/e0d12bd4/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list