Bug 1571

Summary: "subsystem request for sftp" log entry can't be correlated with a user
Product: Portable OpenSSH Reporter: TenToThe9
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P2    
Version: 5.2p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1708    
Attachments:
Description Flags
/home/djm/sshd-subsys-req-log-user.diff dtucker: ok+

Description TenToThe9 2009-03-11 02:17:14 AEDT 
sshd logs the message "subsystem request for sftp" without giving any identifiable information.  Even the process ID (if present) is not used in other messages.

Please add at least a username to the log message.
Comment 1 Damien Miller 2009-11-20 15:37:01 AEDT 
We don't log the user in all log entries because they can be correlated by PID, which your syslogd should record.
Comment 2 TenToThe9 2010-01-26 02:13:28 AEDT 
That's just the problem: the pid in the "subsystem requested" line does not match the pid in the "Accepted ... for ..." line.  This might be because of privilege separation.
Comment 3 Damien Miller 2010-06-18 14:25:11 AEST 
The privsep child pid is logged at loglevel=verbose, but it isn't hard to add the username to the message. I'll make a diff.
Comment 4 Damien Miller 2010-06-18 14:26:57 AEST 
Created attachment 1872 [details]
/home/djm/sshd-subsys-req-log-user.diff

log username on subsystem request line
Comment 5 Damien Miller 2010-06-22 14:59:44 AEST 
patch applied - this will be in OpenSSH-5.6
Comment 6 Damien Miller 2011-01-24 12:33:30 AEDT 
Move resolved bugs to CLOSED after 5.7 release