Bug#1021613: systemd: generates too much log for ssh connection
Vincent Lefevre
vincent at vinc17.net
Wed Oct 12 13:22:38 BST 2022
On 2022-10-12 13:42:55 +0200, Michael Biebl wrote:
> Am 12.10.22 um 13:15 schrieb Vincent Lefevre:
> > On 2022-10-12 11:39:40 +0200, Michael Biebl wrote:
> > > What you see here is expected behaviour:
> > > Your login via SSH is apparently done via PAM, which triggers the start of a
> > > systemd --user instance (with all that it entails). And systemd dutifully
> > > logs everything when setting up that user instance (and tearing it down
> > > again on log out).
> >
> > Well, the account was created by adduser with the --disabled-login
> > option. So I wonder why a systemd --user instance is started.
>
> disabled-login means disabled password. You can still log in as that user
> via other means (su, sudo, SSH keys).
> Which mechanism do you use?
No, you are confusing with --disabled-password:
--disabled-password
Like --disabled-login, but logins are still possible (for example
using SSH keys) but not using password authentication.
I really used --disabled-login. But the man page is really unclear.
The intent was to allow SSH connections, but "full" logins (with
additional services such as provided by systemd) are not necessary.
> I wouldn't recommend disable PAM in SSH (I assume you meant "UsePAM no" in
> sshd_config), but use a different login shell for subversion where PAM is
> not involved or rather, which uses a custom PAM profile where you can
> exclude pam_systemd.so.
Yes, I thought that this was the case for /bin/sh, as opposed to
/bin/bash (default for root, unless this has changed) or /bin/zsh.
But see below.
> I don't really know your particular setup, so it's a bit hard to give proper
> advice.
> But if the user used for subversion access is not meant to be a *regular*
> user but some kind of specialized (system) user, it could indeed be an
> option to disable systemd --user for this particular user.
This is certainly true for the special svn user, who has a
.ssh/authorized_keys file with only
command="/usr/bin/svnserve ...",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
lines.
BTW, I think that rather than with the login shell, pam_systemd.so
inclusion should be controled by such an option. Something like
"no-systemd" (or perhaps pam-options="..."). But this is a setting
that would need to be forwarded to PAM, I suppose.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Pkg-systemd-maintainers
mailing list