When a client authentication request fails, prosody generates multiple debug-level log messages, however none of them provides the information which user name failed to authenticate.
Here is an example:
Mar 10 07:51:28 c2s3553650 debug Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
Mar 10 07:51:28 yax.im:auth_internal_hashed debug test password for user 'aron'
Mar 10 07:51:28 datamanager debug Assuming empty accounts storage ('cannot open /var/lib/prosody/yax%2eim/accounts/aron.dat: No such file or directory') for user: aron@yax.im
Mar 10 07:51:28 yax.im:saslauth debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>Unable to authorize you with the authentication credentials you've sent.</text></failure>
As it stands, cumbersome multi-line matching mechanism must be improvised to extract the usernames, e.g.
awk '/test password for user/{ uid=$10 } /sasl reply: <failure/{ print uid; }' < /var/log/prosody/prosody.log
Please provide a single non-debug-level log line (ideally in the context of the client session) that shows that an authentication mechanism has failed for a given username.
MattJ
on
Changes
tags Milestone-0.10 Status-Accepted
Ge0rG
on
I was made aware of https://modules.prosody.im/mod_log_auth.html which falls short in multiple ways:
- it does not log the username if the user does not exist
- it logs in module and not in session context, making further debugging harder.
When a client authentication request fails, prosody generates multiple debug-level log messages, however none of them provides the information which user name failed to authenticate. Here is an example: Mar 10 07:51:28 c2s3553650 debug Received[c2s_unauthed]: <auth mechanism='PLAIN' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> Mar 10 07:51:28 yax.im:auth_internal_hashed debug test password for user 'aron' Mar 10 07:51:28 datamanager debug Assuming empty accounts storage ('cannot open /var/lib/prosody/yax%2eim/accounts/aron.dat: No such file or directory') for user: aron@yax.im Mar 10 07:51:28 yax.im:saslauth debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>Unable to authorize you with the authentication credentials you've sent.</text></failure> As it stands, cumbersome multi-line matching mechanism must be improvised to extract the usernames, e.g. awk '/test password for user/{ uid=$10 } /sasl reply: <failure/{ print uid; }' < /var/log/prosody/prosody.log Please provide a single non-debug-level log line (ideally in the context of the client session) that shows that an authentication mechanism has failed for a given username.
I was made aware of https://modules.prosody.im/mod_log_auth.html which falls short in multiple ways: - it does not log the username if the user does not exist - it logs in module and not in session context, making further debugging harder.
These commits should improve the situation: https://hg.prosody.im/0.10/rev/57192cf193c7 https://hg.prosody.im/prosody-modules/rev/404d47d2e833 Please test and report
ChangesThank you very much, the new logging is great!
Thanks!
Changes