Created attachment 2204 [details] Use error() to report "Received disconnect" messages to the user In packet.c, logit() is used to report SSH2_MSG_DISCONNECT and SSH_MSG_DISCONNECT messages to the user. This means that if the user has LogLevel set to "error," such messages will be suppressed. Since the circumstances which trigger packet_disconnect() to be called are really error conditions, it seems more appropriate to use error(). One scenario where this occurs is when a user has LogLevel=error to suppress the login banner of the remote system, but exceeds MaxAuthTries due to a combination of failed hostbased and public-key authentication attempts. In that case, the user receives no feedback.
Comment on attachment 2204 [details] Use error() to report "Received disconnect" messages to the user I think this is a good idea. Darren?
applied - this will be in openssh-6.2, due soon. Thanks again
mark bugs closed by openssh-6.2 release as CLOSED
hm. one problem: the client does send this packet type at the normal end of a connection, although it doesn't use packet_disconnect() to do it: if (compat20) { packet_start(SSH2_MSG_DISCONNECT); packet_put_int(SSH2_DISCONNECT_BY_APPLICATION); packet_put_cstring("disconnected by user"); packet_put_cstring(""); /* language tag */ packet_send(); packet_write_wait(); } resulting in a lot of this kind of thing in syslog: sshd[12224]: error: Received disconnect from 192.168.32.1: 11: disconnected by user
Created attachment 2239 [details] Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects
Comment on attachment 2239 [details] Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects Only the client generates SSH2_DISCONNECT_BY_APPLICATION exit notifications and AFAIK it is the only sensible code for client-initiated disconnects in the standard. I think it is safe to drop them back to debug()
Sorry for overlooking this case. However, logging client-initiated disconnects with SYSLOG_LEVEL_DEBUG might be an issue with sites that expect a message to be logged at session termination. The behaviour prior to 6.2 was to log such messages via logit() and thus SYSLOG_LEVEL_INFO. So, it might be better to do: resaon == SSH2_DISCONNECT_BY_APPLICATION ? SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR
I agree with Iain: it was logit() which was info, so the client disconnect case should go back to what it was (INFO). Otherwise, ok.
I committed with SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR a couple of weeks back and it will be in 6.2p2
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1