[Logcheck-devel] Bug#567355: Add "disconnected by user" ignore for recent openssh-client

Loïc Minier lool at dooz.org
Thu Jan 28 17:14:48 UTC 2010 

Package: logcheck-database
Version: 1.3.5
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch

        Hi

 With the most recent openssh-client in Ubuntu lucid (10.04), I get new
 warnings with an Ubuntu karmic (9.10) openssh-server.  I think openssh
 in Ubuntu and Debian are really close, so I believe this will hit
 Debian pretty soon too.

 Please find a patch to address these.  According to the OpenSSH
 maintainer these are expected:
10:53 < lool> cjwatson: Hi, since a recent upgrade of the ssh client on lucid, 
          I get warnings in logcheck from auth.log; the following lines now 
          appear everytime I close a ssh connection:
10:53 < lool> Jan 28 10:52:51 fox sshd[26563]: Received disconnect from 
          192.168.0.119: 11: disconnected by user
10:53 < lool> (before pam session is closed)
10:54 < lool> cjwatson: I don't know whether this is expected or not, in which 
          case I'll update the logcheck rules
12:52 < cjwatson> lool: it appears to be intentional
12:52 < cjwatson> lool: from what I can tell it was part of the preparation for 
          roaming support

   Thanks,
-- 
Loïc Minier
-------------- next part --------------
diff -Nru logcheck-1.3.5ubuntu1/debian/changelog logcheck-1.3.5ubuntu2/debian/changelog
--- logcheck-1.3.5ubuntu1/debian/changelog	2010-01-21 23:36:34.000000000 +0100
+++ logcheck-1.3.5ubuntu2/debian/changelog	2010-01-28 18:10:35.000000000 +0100
@@ -1,3 +1,11 @@
+logcheck (1.3.5ubuntu2) lucid; urgency=low
+
+  * rulefiles/linux/ignore.d.server/ssh: Add "disconnected by user" re in the
+    "Received disconnect from" series; this now occurs frequently with lucid
+    ssh clients.
+
+ -- Loïc Minier <loic.minier at ubuntu.com>  Thu, 28 Jan 2010 18:09:22 +0100
+
 logcheck (1.3.5ubuntu1) lucid; urgency=low
 
   * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
diff -Nru logcheck-1.3.5ubuntu1/rulefiles/linux/ignore.d.server/ssh logcheck-1.3.5ubuntu2/rulefiles/linux/ignore.d.server/ssh
--- logcheck-1.3.5ubuntu1/rulefiles/linux/ignore.d.server/ssh	2009-09-05 12:45:08.000000000 +0200
+++ logcheck-1.3.5ubuntu2/rulefiles/linux/ignore.d.server/ssh	2010-01-28 18:09:15.000000000 +0100
@@ -13,6 +13,7 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: [12]: Timeout, server not responding\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Client disconnect$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: Disconnect requested by Windows SSH Client\.$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Server listening on [:[:xdigit:].]+ port [[:digit:]]+\.$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because (listed in Deny|not listed in Allow)Users$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+( by ([[:alnum:]-]+)?\(uid=[[:digit:]]+\))?$

More information about the Logcheck-devel mailing list