[BlueOnyx:21696] Re: Seeing kernel error auth[xxxxx]: segfault at 10 ... error 4
Michael Stauber
mstauber at blueonyx.it
Mon Jan 29 14:07:05 -05 2018
Hi Jim,
> After a recent yum update I am seeing this error happen occasionally. I
> am not sure if this is affecting anything as no complaints from anyone
> so far but thought I would be proactive and see if I should be concerned
> about this new error.
>
> kernel: auth[32633]: segfault at 10 ip 0000562140c4fc14 sp
> 00007ffce4a944a0 error 4 in auth[562140c33000+51000]
I think this is not related to the kernel updates or at least it is
unlikely to be the case.
The process that died was the "auth" process. That gives us some
pointers, but not much. We don't know which service (docecot, SMTP-Auth,
SSH or ProFTPd) was using "auth" to authenticate a user when the problem
happened.
Your logs might shed some more light on the issue if you look at the
timestamp of the above error message and correlate it with logins
against the various services from said logs.
The problem seems to happen when someone tries to login with a user that
has a "crippled" /etc/shadow entry. By crippled I mean ! or * as
password entry (which effectively denies login), as for "mail", "httpd",
"nobody" and other system accounts.
In that case the spawned "auth" command will die and the calling
application (for example dovecot) will treat this as "authentication
failed".
So you might check /var/log/messages and /var/log/secure for login
attempts that happened at the same time as the above error message. Most
likely someone was trying a brute force login attack and tried to auth
with a system user as well.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list