[CentOS] sshd logging with GMT times?

Wed Nov 15 17:34:48 UTC 2006
Michael Velez <mikev777 at hotmail.com>

> 
> David Mackintosh wrote:
> > Hi folks,
> > 
> > while chasing down a logging-related situation, I happened to notice
> > that when I connect via ssh to my system it makes the 
> following logs:
> > 
> > Nov 15 14:15:39 saturn sshd[29868]: Accepted password for 
> dave from ::ffff:10.0.10.14 port 2833 ssh2
> > Nov 15 09:15:39 saturn sshd[29867]: Accepted password for 
> dave from ::ffff:10.0.10.14 port 2833 ssh2
> > Nov 15 09:15:39 saturn sshd(pam_unix)[29869]: session 
> opened for user dave by (uid=0)
> > 
> > That is, sshd appears to log the connection with GMT (or UCT) before
> > the child sshd logs it with local time.  
> 
> > How do I either tell sshd to always use local time, or tell 
> it not to
> > make the first entry?  
> 
> That is a bug. See <http://bugs.centos.org/view.php?id=1557> and the
> RedHat bugzilla entry which is referenced in that bug report.
> 
> Cheers,
> 
> Ralph
> 
> 

A hard link between /var/empty/sshd/etc/localtime to /etc/localtime changes
the timestamp, although two messages still get reported.  The hard link
should solve the issue brought up by some people in the redhat bugzilla
discussion for this bug in which a mere copy would not solve the problem if
/etc/localtime is actually changed.  With the hard link, if /etc/localtime
is changed, /var/empty/sshd/etc/localtime will see the change as well. I
chose a hard link because I wasn't sure how a symbolic link would work in
the chroot configuration (I did not test the symlink).

Thanks for reporting this as I've seen this issue for a few weeks now and
didn't know how to solve it.  Hopefully, the openssh patch discussed in
redhat bugzilla will solve the "duplicate messages" issue.

Michael