PAM module causes flurry of SSH sessions

view full story

http://serverfault.com – While tailing /var/log/auth.log I noticed that there where multiple entries being entered (instantly) by the minute for user "foo". I personally had only one connection open as user "root_bar" while tailing the auth.log (log sample below). As you can see, there is no IP information for this incoming SSH connections. What is the best way to trace the IP address for incoming SSH connections? Aug 10 14:30:04 ps2000 suexec: (pam_unix) session opened for user root_bar by (uid=999) Aug 10 14:30:04 ps2000 suexec: (pam_unix) session closed for user root_bar Aug 10 14:30:06 ps2000 suexec: (pam_unix) (HowTos)