/var/log/secure.log not showing failed login attempts from loginwindow.

Question

/var/log/secure.log not showing failed login attempts from loginwindow.

On my old Leopard installation, I could track the login attempts via the /var/log/secure.log log file, and look for things like..."failed to authenticate user", but under Snow Leopard, the only log message that appears when a user logs in or fails to login is "failed to determine Kerberos principal name". As shown in the logs below, where I failed to login as admin, then logged in as admin, logged out, then failed as my username, then successfully logged in.

Jan 26 20:46:19 Biko-2 loginwindow[30]: in pam smauthenticate(): Failed to determine Kerberos principal name.
Jan 26 20:49:44 Biko-2 loginwindow[30]: in pam smauthenticate(): Failed to determine Kerberos principal name.
Jan 26 20:58:23 Biko-2 loginwindow[30]: in pam smauthenticate(): Failed to determine Kerberos principal name.
Jan 26 21:00:07 Biko-2 loginwindow[30]: in pam smauthenticate(): Failed to determine Kerberos principal name.
Jan 27 08:09:31 Biko-2 loginwindow[30]: in pam smauthenticate(): Failed to determine Kerberos principal name.

This is useful for me, since I'm running the authsightd script from Jonathan A. Zdziarski which takes pictures of the people typing in wrong passwords.

http://www.zdziarski.com/projects/authsight/

Any ideas?

Scott
PS> I did a full re-install of my host, but then did a Migration Assistant across from Leopard. So, not sure if that might have anything to do with this.

MacBook Pro, Mac OS X (10.6.2)

Posted on Jan 27, 2010 9:49 AM

Reply

Answer 1

baltwo

Level 9

62,386 points

Jan 27, 2010 3:22 PM in response to Scott Kennedy

First, the developer says:

*AuthSight does not work with OS X Leopard. I have no plans to continue support for AuthSight.*

So, why would you expect it to work with SL? BTW, I can't help with your secure log thingy, since I have numerous lines such as:'

+Jan 25 14:03:02 localhost com.apple.SecurityServer[24]: checkpw() returned -2; failed to authenticate user XXXXXX (uid 501).+

and noe dealing with Kerberos, but then I'm not in a corporate setting where admins think they need to know everything. Why is it necessary to know about failed attempts? Privacy concerns might relegate your picture taking to be a violation of user's rights. Etc., etc., etc.

Reply

Answer 2

Jan 27, 2010 4:02 PM in response to baltwo

I know the developer has no longer chosen to support authsightd. But other users ported it to Leopard, hence the desire to port it myself and give back to the community.

As for the reason, ever leave your laptop in a hotel room, conference room, etc... with the screen lock on? Did someone try to unlock it or not. authsightd will help you find out who.

I've captured images of co-workers trying to play a prank, maids dusting keyboards, a customer trying to find out secrets, and my kids trying to bypass the internet filter with authsightd.

Quite useful, IMHO.

Scott

Reply

Answer 3

baltwo

Level 9

62,386 points

Jan 27, 2010 4:55 PM in response to Scott Kennedy

OK!? I never left expensive laptops (when I had them) lying around anywhere.

Reply

Answer 4

toxi

Level 1

4 points

Feb 8, 2010 5:59 AM in response to Scott Kennedy

Heya guys, what weird answers. Scott is asking about something not working and the mac and the answer are about wether having this security feature used makes sense. What about the primary question?

I have the same problem, I regularly have in my console the message "loginwindow[40] in pam smauthenticate(): Failed to determine Kerberos principal name." and I think its linked with "/System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[1036 1] No valid tickets, timing out"

I'm suspecting those two message are linek to performance problem, so I would like to try to fixe this issues. Anyone has a solution?

Reply

Answer 5

iCV

Level 1

4 points

May 3, 2010 12:22 PM in response to toxi

I've the same problem on my Macbook 5,1 with 10.6.3

Please anyone post a solution.

Reply

Answer 6

Jun 24, 2010 3:27 AM in response to toxi

I'm seeing the problem as well and am associating it with the freezing trackpad and internal keyboard problem that I've been seeing periodically since upgrading to 10.6. The latter got much worse after 10.6.4 the u/g but has improved after removing the Huawei updater, upgrading the EyeTV app and upgrading vmware fusion.

Reply

Answer 7

Jun 25, 2010 7:49 AM in response to Scott Kennedy

speaking of /var/log files , im trying to delete my log. when i drag files to the trash it asks me for my password. I enter my password correctly and it just keeps telling me i entered the wrong password. i need to delete these log files! help?????

Reply

Answer 8

Aug 16, 2010 5:53 PM in response to toxi

Just as an update...

This problem still persists... I have re-installed the laptop (clean install) with no other software installed, create two accounts. Login as either one of them and both print the same "login" message when I actually login.

Aug 5 13:13:31 Biko loginwindow[398]: in pam smauthenticate(): Failed to determine Kerberos principal name.
Aug 5 13:22:17 Biko loginwindow[398]: in pam smauthenticate(): Failed to determine Kerberos principal name.

So, this persists across all versions of Snow Leopard.

Reply

Answer 9

Barney-15E

Level 10

122,126 points

Aug 16, 2010 6:36 PM in response to Scott Kennedy

Perhaps the default logging in the config file is set too low. I don't have the kerberos plists, so I can't tell you what they have. If you man krb5.conf in the Terminal, it discusses settings.

Reply

Answer 10

Aug 17, 2010 8:33 AM in response to Barney-15E

I looked into the krb5.conf configuration and see that I could create a "default logging", but upon examination of all our Snow Leopard systems, there is no krb5.conf file installed.

biko:~ sck$ locate krb5.conf
/usr/share/man/man5/krb5.conf.5
biko:~ sck$ sudo find / -name krb5.conf -ls
find: /dev/fd/3: Not a directory
find: /dev/fd/4: Not a directory
biko:~ sck$

Would /etc/krb5.conf be read or does it need to go in a more "apple-esque" location? This is what I'm going to use, to put the messages into /var/log/secure.log, check me if you want...

\[logging\]
default = SYSLOG:INFO:AUTH

Furthermore, I am not actually using Kerberos at all, just using the base install looking for a "user logged in" or "user failed to login" message in a log file somewhere. So, not sure if this would be a good solution or not, but will attempt and report back.

Message was edited by: Scott Kennedy

Reply

Answer 11

Aug 17, 2010 3:40 PM in response to Scott Kennedy

There is no change with an /etc/krb5.conf installed.

Scott

Reply

Answer 12

Barney-15E

Level 10

122,126 points

Aug 17, 2010 7:07 PM in response to Scott Kennedy

The krb5.conf man page says it uses a couple of plists first.

Configuration in ~/Library/Preferences/edu.mit.Kerberos.KerberosApp.plist take
 precedence over the Kerberos configuration files. The order of precedence (with
 highest precedence first) of the Kerberos configuration files is as as follows:
 ~/Library/Preferences/edu.mit.Kerberos
 /Library/Preferences/edu.mit.Kerberos
 /etc/krb5.conf

Reply

Answer 13

Aug 18, 2010 8:00 AM in response to Barney-15E

Okay, chewing into this further, I don't have any Kerberos plists apart from kinit's. So, /etc/krb5.conf should be read as a configuration, right?

Biko:~ sck$ ls -la ~/Library/Preferences/edu.mit.Kerberos* /Library/Preferences/edu.mit.Kerberos* /etc/krb5.*
ls: /Library/Preferences/edu.mit.Kerberos*: No such file or directory
-rw------- 1 sck staff 560 Jul 5 22:38 /Users/sck/Library/Preferences/edu.mit.Kerberos.pkinit.plist
-rw-r--r-- 1 root wheel 37 Aug 17 14:08 /etc/krb5.conf
-rw------- 1 root wheel 1391 Oct 17 2009 /etc/krb5.keytab
-rw------- 1 root wheel 1391 Aug 1 10:56 /etc/krb5.keytab~orig
Biko:~ sck$ man plistBiko:~ sck$ plutil -convert xml1 -o - ~/Library/Preferences/edu.mit.Kerberos.pkinit.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KRBClientCert</key>
<dict>
<key>1111111111111111111111111111111111111111@LKDC:SHA1.22222222222222222222222 22222222222222222</key>
<data>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXX==
</data>
<key>1111111111111111111111111111111111111111@LKDC:SHA1.22222222222222222222222 22222222222222222</key>
<data>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXX==
</data>
</dict>
</dict>
</plist>
Biko:~ sck$ cat /etc/krb5.conf
[logging]
default = SYSLOG:INFO:AUTH
Biko:~ sck$

Oh, and I edited out the key information, since that could be used to steal tokens and it's not really germane to the logging issue.

Scott

Reply