# [solved] Where is the sshd log ?

## Basaltman

Hello,

I'm new to Gentoo and just installed Gentoo 11. I intend to upgrade to a newer version as soon as I can.

I have trouble configuring sshd to accept logging in with ssh keys so I'd like to see what's wrong in the log.

But where is the sshd log?

I don't have a /var/log/message file.

Thanks for your help.Last edited by Basaltman on Thu Feb 13, 2014 4:30 pm; edited 1 time in total

----------

## smerf

Have you changed SSH configuration?

Which system logger have you installed (syslog-ng, ...)?

----------

## Basaltman

Thanks for your reply.

Not it's a fresh install. Here's my sshd_config file.

```
#   $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# The default requires explicit activation of protocol 1

#Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Ciphers and keying

#RekeyLimit default none

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile   .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

PrintMotd no

PrintLastLog no

#TCPKeepAlive yes

#UseLogin no

UsePrivilegeSeparation sandbox      # Default for new installations.

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem   sftp   /usr/lib64/misc/sftp-server

# the following are HPN related configuration options

# tcp receive buffer polling. disable in non autotuning kernels

#TcpRcvBufPoll yes

 

# disable hpn performance boosts

#HPNDisabled no

# buffer size for hpn to non-hpn connections

#HPNBufferSize 2048

# allow the use of the none cipher

#NoneEnabled no

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   ForceCommand cvs server

# Allow client to pass locale environment variables #367017

AcceptEnv LANG LC_*

```

I tried uncommenting the 

```

#SyslogFacility AUTH

#LogLevel INFO

```

 lines

and restarting sshd but this makes no difference as far as I can tell. I stillI can't find where sshd logs its stuff.

----------

## cwr

Well, your sshd_config has logging turned off, as far as I can tell.  Mine has:

```

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel DEBUG

```

and seems to log to /var/log/messages.  OTOH I've got sshd messages

redirected to syslog-ng, and it's a while since I set it up, so I'm not clear

as to the default configuration.

Will

----------

## Basaltman

 *smerf wrote:*   

> Have you changed SSH configuration?
> 
> Which system logger have you installed (syslog-ng, ...)?

 

Oh now I think I understand. I need to install a system logger. I thought there would be one already installed.

Any advice on which one would work best? I need something compatible with fail2ban but I guess they all are?

----------

## Basaltman

I installed syslog-ng using emerge and now I can see sshd logs in /var/log/messages

Thanks smerf!

I immediately identified why I couldn't log in with ssh using the account I had created. The account didn't exist! I thought it had been created but actually useradd had failed because the username started with an uppercase letter (not allowed).

----------

## smerf

BTW: https://forums.gentoo.org/viewtopic.php?t=17169

----------

