HPE Community
Operating System - HP-UX
1767188 Members
5890 Online
108959 Solutions
New Discussion юеВ

SSHD logging question

 
SOLVED
Go to solution
Chrisl_2
Frequent Advisor

тАО04-04-2006 03:32 AM

тАО04-04-2006 03:32 AM

SSHD logging question

HPUX 11.00 PARISC

Hi all,

sshd logging to syslog seems to have the time set to EDT. Unfortunately we are in PDT. The host time and the client systems all have the time set correctly. Anyone know where to look for this?

TIA Chris
0 Kudos
9 REPLIES 9
Alzhy
Honored Contributor

тАО04-04-2006 05:28 AM

тАО04-04-2006 05:28 AM

Re: SSHD logging question

Have you checked IF your server is actually on PDT Timezone?

# echo $TZ
PST8PDT




Hakuna Matata.
0 Kudos
Mel Burslan
Honored Contributor

тАО04-04-2006 05:29 AM

тАО04-04-2006 05:29 AM

Re: SSHD logging question

I don't think sshd has a separate timezone setting but it uses the system time when it logs. What is your /etc/TIMEZONE file contents say about your timezone as the most trivial point of starting the troubleshooting ?

If it is set correctly, could you please paste a snippet of your syslog to see how the log time jumps back and forth between few entries ?
________________________________
UNIX because I majored in cryptology...
0 Kudos
Chrisl_2
Frequent Advisor

тАО04-04-2006 05:48 AM

тАО04-04-2006 05:48 AM

Re: SSHD logging question

Here's a bit of syslog.log

Apr 4 14:43:48 dining sshd[10645]: Accepted publickey for bak from 132.239.29.96 port 41568 ssh2
Apr 4 14:43:49 dining sshd[10652]: Accepted publickey for bak from 132.239.29.96 port 41569 ssh2
dining:/var/adm/syslog>tail -100 syslog.log |more
Apr 4 10:14:03 dining ftpd[9946]: FTP session closed

here's the TZ

dining:/var/adm/syslog>echo $TZ
PST8

here's /etc/timezone

dining:/var/adm/syslog>cat /etc/TIMEZONE
TZ=PST8
export TZ



0 Kudos
Mel Burslan
Honored Contributor

тАО04-04-2006 05:55 AM

тАО04-04-2006 05:55 AM

Re: SSHD logging question

my /etc/TIMEZONE says:

# cat TIMEZONE
TZ=PST8PDT
export TZ

I am not sure if it is related to your problem (the lack of PDT in the TZ definition), but you sure can try and it won't hurt anything.

also which version of of sshd are you running ?

just telnet to the port 22 (or other if you are running it on an unusual setup) of your host and see what it says. I am not sure what else to suggest or ask.
________________________________
UNIX because I majored in cryptology...
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

тАО04-04-2006 05:58 AM

тАО04-04-2006 05:58 AM

Re: SSHD logging question

Note than sshd is started by rc. Rc normally sources /etc/TIMEZONE but if that file was not found then TZ is hardset to EST5EDT and exported to any child processes including sshd. At this point all we can know is the contents of /etc/TIMEZONE as it is now; that does not mean that we know the contents when sshd was actually started.

I would (from the console) issue an /sbin/init.d/secsh stop and /sbin/init.d/secsh start.
If it ain't broke, I can fix that.
0 Kudos
Steven E. Protter
Exalted Contributor

тАО04-04-2006 05:59 AM

тАО04-04-2006 05:59 AM

Re: SSHD logging question

Shalom Chris!

There have been some problems with connection logging in recent secure shell openssh versions.

The latest version 4.2.004 corrects some of these.

Perhaps check version.

swlist -l product | grep -i secure

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Chrisl_2
Frequent Advisor

тАО04-04-2006 06:01 AM

тАО04-04-2006 06:01 AM

Re: SSHD logging question

This issue has been around longer than the time change this past Saturday, so I don't think that it is a daylight savings time issue. I think somewhere, ssh thinks that the system is in EST, I'm just not sure where it gets this info.

the version of ssh is

dining:/var/adm/syslog>ssh -v
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.6b 9 Jul 2001

thanks

0 Kudos
Chrisl_2
Frequent Advisor

тАО04-04-2006 06:22 AM

тАО04-04-2006 06:22 AM

Re: SSHD logging question

BTW, I have 2 other systems running SSH. They do have PST8PDT in /etc/TIMEZONE. They are logging time correctly. Maybe that is it. If I kill HUP the sshd process, will users that have current ssh connections get interrupted?

TIA
0 Kudos
Mel Burslan
Honored Contributor

тАО04-04-2006 06:34 AM

тАО04-04-2006 06:34 AM

Solution

Re: SSHD logging question

as Clay indicated, /sbin/init.d/secsh stop and then start should not affect the users already logged in. For a brief time between the issuance of stop and start commands, 5-10 seconds may be, people who want to start a new ssh session may get connection refused message.

Also, check your ssh version and upgrade to something recent if at all possible. As Stephen indicated, older versions had some logging and authentication problems.
________________________________
UNIX because I majored in cryptology...
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.