TLDR: We use PAM with SSHD. CentOS and Ubuntu exist in the environment. For every SSHD failure of an unknown user, it creates two messages. One of the messages doesn't provide the unknown username and junks up our SIEM. I want vĩ đại cull the messages at the source vs. drop them at the SIEM. I still want other PAM auth messages, for now.
With that said, I'm trying vĩ đại figure out how vĩ đại get the following PAM message silenced since its redundant vĩ đại another PAM message. It's also possible all of the lower-level PAM messages are redundant vĩ đại higher-level sshd syslog messages, but I want vĩ đại at least silence the useless PAM message first before doing additional tuning.
Useless PAM message:
sshd[] pam_unix(sshd:auth): check pass; user unknown
The above is redundant vĩ đại the following more verbose message (which is sent near instantaneously):
sshd[] pam_sss(sshd:auth): received for user : 10 (User not known vĩ đại the underlying authentication module)
I believe both of these may also be redundant vĩ đại this higher-level message generated by sshd itself:
sshd[] error: PAM: User not known vĩ đại the underlying authentication module for illegal user from
I tried digging through several man pages on PAM vĩ đại understand how the different files liên kết together.
Based on the syslog message, I believe this has vĩ đại bởi with the PAM auth module, ví looking in the password-auth-ac tệp tin (linked by the pass-auth SL), we have the following:
auth required pam_env.so
auth required pam_faildelay.ví delay=20000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.ví uid >=1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.ví nullok try_first_pass
auth requisite pam_succeed_if.ví uid >= 1000 quiet_success
auth sufficient pam_sss.ví forward_pass
auth required pam_deny.so
If my assumptions above are correct, I would have thought the line that would trigger the kiểm tra pass; unknown user message would have been line 4: pam_localuser.so. However that line instructs us vĩ đại ignore the results of that, ví my next thought is that it may actually be generated on the line: auth sufficient pam_unix.ví line or the pam_sss line, since they're referenced by the syslog entries. I read the man page and modified the tệp tin vĩ đại feed that line the quiet argument, but that didn't work.
The control-flag sufficient equals [success=done new_authtok_reqd=done default=ignore], which if I understand right, the default=ignore should also cause this syslog vĩ đại be ignored. I'm guessing at this point its not actually generated on that line either and I'm a bit confused on where vĩ đại look next.
A few questions surrounding this:
Am I even looking at the right tệp tin vĩ đại attempt vĩ đại stop the logging? If yes, what am I misunderstanding on how vĩ đại quiet the "check pass; user unknown" message?
If I want vĩ đại more aggressively disable syslog generated from PAM for SSHD, what's the best way vĩ đại accomplish that?
If I wanted vĩ đại take it even further and disable all syslog generated from PAM, what's the best way vĩ đại bởi that? (I'd lượt thích vĩ đại turn it off in PAM vs. modify rsyslog filtering on what vĩ đại forward vĩ đại the syslog server.)
Lastly, assuming that I want vĩ đại make a change for one of the options above, what's the best way vĩ đại create a persistent change? The file warns it is auto-generated, but I'm not entirely sure how I'd make these types of changes using the authconfig command.
TIA. If this was covered somewhere else, just point má that way. I did bởi a bit of looking around here and Reddit before posting this, but I didn't see anything along the lines of what exactly I'm trying vĩ đại bởi and clearly, I couldn't piece it all together the man pages well enough.