A refusal based on TCP wrappers now defaults to the syslog facility LOG_USER (which is the default if none is defined) as opposed to the facility used by the rest of ssh. The attached patch changes this behavior such that it logs with the SyslogFacility as defined in the options (or the default of LOG_AUTH).
Created attachment 917 [details] Patch to allow TCP wrapper refusals to log with SyslogFacility facility
Looks like this should be a portable-only change as it has no effect on OpenBSD. Damien?
Comment on attachment 917 [details] Patch to allow TCP wrapper refusals to log with SyslogFacility facility Why is this proposed for portable only? The same code is in OpenBSD. Also, I don't think the bit-wise OR of log_facility is correct - according to syslog(3) the level is an ordered list, not a bitmask.
(In reply to comment #3) > (From update of attachment 917 [details]) > Why is this proposed for portable only? The same code is in OpenBSD. It doesn't occur on OpenBSD although I don't recall why. The change could go into OpenBSD (and would be a no-op) but it's not required. > Also, I don't think the bit-wise OR of log_facility is correct - > according to syslog(3) the level is an ordered list, not a bitmask. Level is an ordered list (as is facility, I believe), however the two are bitwise or'ed together. quoth syslog(3): "The priority argument is formed by ORing the facility and the level values (explained below)."
Patch has been applied an will be in the 4.8 release. Thanks.
Fix shipped in 4.9/4.9p1 release.