OpenSSH logging with GMT on Connection close?

Michael Pelletier mvpel at hushmail.com
Tue Aug 19 10:55:51 EDT 2008 

Typically a system application, such as syslog, will have a different
timezone than the shell if either the shell independently sets its timezone
in /etc/profile, .bashrc, or the like, or if the TZ variable in the system
startup configuration was changed after the system was booted.

Things like "init" and "syslog" which are started at boot and are
long-running, don't pick up TZ changes made after boot.  And with syslog,
it's the syslogd that's responsible for the timestamp, not the process
sending the log entry.

Are all the syslog entries in GMT, or only the OpenSSH timestamps?  Do you
have an example where an earlier entry shows a later time than a subsequent
entry?

Also, be sure that your system timezone is set correctly, and that GMT isn't
just the system trying to cope with an indecipherable timezone - I had a
system that someone set to "GMT+5" thinking that it meant "five hours ahead
of GMT," but it actually meant "US Eastern Time without daylight savings,"
and so the system in Bangalore was running backups in the middle of the day.
It was supposed to be "Asia/Calcutta" to get the proper local time and
daylight savings rules. In NH, you'd want "US/Eastern" of course.

	-Michael Pelletier.

-----Original Message-----
From: gnhlug-discuss-bounces at mail.gnhlug.org
[mailto:gnhlug-discuss-bounces at mail.gnhlug.org] On Behalf Of Kevin D. Clark
Sent: Tuesday, August 19, 2008 10:12 AM
To: Greater NH Linux User Group
Subject: Re: OpenSSH logging with GMT on Connection close?


Bill McGonigle writes:

> I've got a Fedora 8 machine here running sshd (OpenSSH_4.7p1, OpenSSL 
> 0.9.8b 04 May 2006) and when it closes a connection, it reports in / 
> var/log/secure a timestamp that's in GMT rather than in localtime:
> 
>    Aug  7 17:45:31 sshhost sshd[22039]: pam_unix(sshd:session):  
> session closed for user userone
>    Aug  7 21:49:04 sshhost sshd[22092]: Connection closed by
> 192.168.1.123
>    Aug  7 17:54:57 sshhost sshd[22588]: Accepted publickey for usertwo 
> from 192.168.1.123 port 52016 ssh2

This is a really weird problem.  I UTSL'd through the openssh-5.0p1 code and
I don't see any interesting differences between the login/logout code that
uses syslog.

I thought about this quite a bit during my commute this morning and my best
guess is that this might have something to do with how the TZ enviroment
variable is configured in your environment?

If you are using syslog-ng, does using use_time_recvd help?

Regards,

--kevin
-- 
GnuPG ID: B280F24E                Meet me by the knuckles
alumni.unh.edu!kdc                of the skinny-bone tree.
http://kdc-blog.blogspot.com/     -- Tom Waits
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

More information about the gnhlug-discuss mailing list