per default Debian (unfortunately) does not log ssh logins (why? afraid of harddisk overflows?)

  • every user and admin wants to see “who and what is going on” the system
  • usefull also for debugging purposes: what if a ssh client is sometimes allowed and sometimes refused to login?
    • why? what’s the issue?
  • sshd does not write it’s own logfile (the default logfile would be /var/log/auth.log) but relies on rsyslog to do the default but rsyslog is not installed on Debian per default

so let’s go:

hostnamectl; # tested on
Operating System: Debian GNU/Linux 12 (bookworm)  
          Kernel: Linux 6.1.0-18-amd64
    Architecture: x86-64

# DEFINATELY do some ssh hardening :) (as best as possible harden and secure)

su - root
apt install rsyslog

then configure:

vim /etc/ssh/sshd_config

# enable basic logging information
SyslogFacility AUTH

# basic logging
LogLevel INFO

# or VERY detailed logging
LogLevel DEBUG3


service ssh restart


# monitor only the auth.log
tail -f /var/log/auth.log

or use “live view of all logs” one-liner:

now test-ssh-login to this system and check what the log does 😀

sample output: of 
tail -f /var/log/auth.log

# login
2024-03-04T17:39:08.271714+01:00 hostname_of_ssh_server sshd[35883]: Accepted publickey for user from 192.ip.of.client port 57528 ssh2: ED25519 SHA256:xxxxxx
2024-03-04T17:39:08.272773+01:00 hostname_of_ssh_server sshd[35883]: pam_unix(sshd:session): session opened for user user(uid=1000) by (uid=0)
2024-03-04T17:39:08.279359+01:00 hostname_of_ssh_server systemd-logind[1084]: New session 34 of user user.
2024-03-04T17:39:08.318215+01:00 hostname_of_ssh_server sshd[35883]: pam_env(sshd:session): deprecated reading of user environment enabled

# logoff
2024-03-04T17:38:47.298498+01:00 hostname_of_ssh_server sshd[35840]: Received disconnect from 192.ip.of.client port 42328:11: disconnected by user
2024-03-04T17:38:47.299446+01:00 hostname_of_ssh_server sshd[35840]: Disconnected from user user 192.ip.of.client port 42328
2024-03-04T17:38:47.299774+01:00 hostname_of_ssh_server sshd[35833]: pam_unix(sshd:session): session closed for user user
2024-03-04T17:38:47.306328+01:00 hostname_of_ssh_server systemd-logind[1084]: Session 33 logged out. Waiting for processes to exit.
2024-03-04T17:38:47.308371+01:00 hostname_of_ssh_server systemd-logind[1084]: Removed session 33.

once upon a log file:

# what was encounted in
vim /var/log/auth.log
# gnome keyring logs there as well
2024-03-04T18:31:36.908206+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: starting password prompt for callback /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.767868+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: completed password prompt for callback :1.18@/org/gnome/keyring/Prompt/p1
2024-03-04T18:31:38.768150+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: encrypting data
2024-03-04T18:31:38.768313+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: sending the secret exchange: [sx-aes-1]\npublic=xxxx/xxxxx\nsecret=xxxxxxxx==\niv=xxxxx+gEBg==\n
2024-03-04T18:31:38.768451+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: calling the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788017+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: returned from the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788188+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: received PerformPrompt call from callback /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788283+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788378+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: closing the prompt 
2024-03-04T18:31:38.788473+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788565+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788660+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788751+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788840+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788925+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.790956+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: calling the PromptDone method on /org/gnome/keyring/Prompt/p1@:1.18, and ignoring reply
2024-03-04T18:31:48.570587+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: 10 second inactivity timeou

# this file
dpkg -S /usr/libexec/gcr-prompter

# belongs to the package

apt show gcr
Package: gcr
Version: 3.41.1-1+b1
Priority: optional
Section: gnome
Source: gcr (3.41.1-1)
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers ÄT lists DOOOOT alioth DooOT debian doOT org>
Installed-Size: 1,644 kB
Depends: default-dbus-session-bus | dbus-session-bus, libgcr-base-3-1 (= 3.41.1-1+b1), libgcr-ui-3-1 (= 3.41.1-1+b1), dconf-gsettings-backend | gsettings-backend, init-system-helpers (>= 1.52), libc6 (>= 2.34), libgck-1-0 (>= 3.3.90), libglib2.0-0 (>= 2.44.0), libgtk-3-0 (>= 3.22.0), libsecret-1-0 (>= 0.20), libsystemd0
Tag: uitoolkit::gtk
Download-Size: 272 kB
APT-Manual-Installed: no
APT-Sources: bookworm/main amd64 Packages
Description: GNOME crypto services (daemon and tools)
 GCR is a library for crypto UI and related tasks.

 This package contains the certificate viewer and prompter service.

dpkg -l|grep gcr
ii  gcr                                            3.41.1-1+b1                            amd64        GNOME crypto services (daemon and tools)


it is a wee bit strange, a lot of stuff is written to log files, often too much like:

==> /var/log/syslog <==

2024-03-04T17:33:03.463570+01:00 hostname_of_server NetworkManager[1113] <warn> [1709569983.4627] platform-linux: do-add-ip6-address[3] fe80::b0f4:2e3e:d41d:36ce]: failure 95 (Operation not supported)

<- NetworkManager just can’t accept that IPv6 was disabled?

# tell NetworkManager ipv6 is disabled for this nic (creditz)
nmcli d modify name_of_interface ipv6.method "disabled"
Connection successfully reapplied to device 'name_of_interface'.

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!