[ale] SSH session ends immediately after authentication

Jason Day jasonday at worldnet.att.net
Fri Jan 27 09:40:35 EST 2006 

On Thu, Jan 26, 2006 at 03:42:47PM -0500, Jason Day wrote:
> On 1/26/06, James P. Kinney III <jkinney at localnetsolutions.com> wrote:
> 
> > Ah Ha! A full hard drive would cause a login to fail as it can't record
> > the access. If this is a production server you have a problem as the
> > logging is now not running.
> >
> 
> No, it's just my cable modem router for home use.  The downtime isn't a big
> deal, but a compromised system would be.  This makes me slightly less
> anxious.  I'll report what I find after I get home.

Well, it wasn't a full hard drive.  When I got home I tried logging in
on a serial console without success.  So I dragged a monitor over and
plugged it in and still couldn't login.  I did however have an open ssh
session connected from another box on my LAN.  df showed plenty of space
on the hard drive, netstat didn't show anything unusual.  Tried to su so
I could check the logs, and su segfaulted.  I tried another command
(don't remember which one) and the ssh session closed without warning.

Rebooted with a knoppix disk and ran memtest86.  No errors.  Tried
rebooting again, but I kept getting IO errors when knoppix was trying to
mount the cdrom.  I think the cdrom drive might be bad, it is ancient.
Rebooted to single user mode, everything seemed fine.  Nothing unusual
in the logs.  The logs show all my ssh attempts, but don't show any
errors; just a session opened immediately followed by a session closed.
During all this time, fetchmail continued to run *and* successfully
fetched mail, and exim and procmail successfully delivered it.

I don't know what would make it go all wonky like that, but it occurs to
me that the programs that had problems (su, login, ??) are all on the
root partition, while the programs that worked (fetchmail, sshd, exim,
procmail) are on the /usr partition.  I'll get a toms root boot tonight
so I can do a badblocks check on the root partition.  Anything else I
should look out for?

Thanks,
Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9

More information about the Ale mailing list