Stavo scorrendo attraverso /var/log/auth.log e ho notato che per qualche ragione, non ogni volta, ma a volte quando effettuavo l'accesso tramite SSH vedevo voci come la seguente: dove c'erano più sessioni aperte ( allo stesso tempo) per un accesso SSH:
Aug 19 20:48:44 <redacted> sshd[1409]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:48:44 <redacted> systemd-logind[403]: New session 16 of user <redacted>.
Aug 19 20:49:11 <redacted> sshd[1452]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:49:11 <redacted> systemd-logind[403]: New session 17 of user <redacted>.
Aug 19 20:49:11 <redacted> sshd[1453]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:49:11 <redacted> systemd-logind[403]: New session 18 of user <redacted>.
Aug 19 20:49:11 <redacted> sshd[1456]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:49:11 <redacted> systemd-logind[403]: New session 19 of user <redacted>.
Aug 19 20:49:11 <redacted> sshd[1454]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:49:11 <redacted> sshd[1457]: pam_unix(sshd:session): session opened for user <redacted> by (uid=0)
Aug 19 20:49:11 <redacted> systemd-logind[403]: New session 21 of user <redacted>.
Aug 19 20:49:11 <redacted> systemd-logind[403]: New session 20 of user <redacted>.
E poi più sessioni chiuse quando la stessa (singola) connessione SSH è stata disconnessa:
Aug 19 20:52:56 <redacted> sshd[1764]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 20:52:56 <redacted> systemd-logind[403]: Removed session 23.
Aug 19 21:04:11 <redacted> sshd[1409]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:11 <redacted> systemd-logind[403]: Removed session 16.
Aug 19 21:04:27 <redacted> sshd[1454]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:27 <redacted> systemd-logind[403]: Removed session 20.
Aug 19 21:04:27 <redacted> sshd[1453]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:27 <redacted> systemd-logind[403]: Removed session 18.
Aug 19 21:04:27 <redacted> sshd[1452]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:27 <redacted> systemd-logind[403]: Removed session 17.
Aug 19 21:04:27 <redacted> sshd[1457]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:27 <redacted> systemd-logind[403]: Removed session 21.
Aug 19 21:04:27 <redacted> sshd[1456]: pam_unix(sshd:session): session closed for user <redacted>
Aug 19 21:04:27 <redacted> systemd-logind[403]: Removed session 19.
Quando corro:
loginctl list-sessions
Vedo:
SESSION UID USER SEAT TTY
317 1000 <redacted>
Solo un ID di sessione, che sarebbe un rapporto 1-1 più logico tra sessioni e accessi, ma come evidenziato sopra; ci sono state sicuramente occasioni in cui non era così.
Ci si chiede se questo sia qualcosa di preoccupante per la sicurezza, e se qualcuno potrebbe offrire una spiegazione che avrebbe senso anche perché molte sessioni sarebbero state aperte da un login SSH in alcune occasioni, ma altre no ?