Sudo – Stop PAM Messages in auth.log for Specific User

The entries are added to the log each time a cron job runs. To reduce the time between entries, you would have to look at your cron jobs and change their timings. This, though, may break something that relies on those jobs running at specific intervals.

If they really do annoy you, then simply follow the instructions on the Debian bug report and stop cron from logging an entry in the auth.log each time a job runs. That is, edit /etc/pam.d/common-session-noninteractive and add:

session     [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid

before the line: session required pam_unix.so

and restart the cron service (as per links provided by original poster)

Here is a solution that works for me. My /etc/pam.d/sudo:

#%PAM-1.0
auth            [success=1]     pam_exec.so    /tmp/test-pam
auth            required        pam_deny.so
auth            include         system-auth
account         include         system-auth
session         include         system-auth

And /tmp/test-pam:

#! /bin/bash
/bin/last -i -p now ${PAM_TTY#/dev/} | \
    /bin/awk 'NR==1 { if ($3 != "0.0.0.0") exit 9; exit 0; }'

I get this behavior:

$ sudo date
[sudo] password for jdoe:
Thu Jun 28 23:51:58 MDT 2018
$ ssh localhost
Last login: Thu Jun 28 23:40:23 2018 from ::1
valli$ sudo date
/tmp/test-pam failed: exit code 9
[sudo] password for jdoe:
sudo: PAM authentication error: System error
valli$

The first line added to the default pam.d/sudo calls pam_exec and, if it succeeds, skips the next entry. The second line just denies access unconditionally.

In /tmp/test-pam I call last to get the IP address associated with the TTY pam was invoked from. ${PAM_TTY#/dev/} removes /dev/ from the front of the value, because last doesn't recognize the full device path. The -i flag makes last show either the IP address or the placeholder 0.0.0.0 if there is no IP address; by default it shows an info string which is much harder to check. This is also why I used last instead of who or w; those don't have a similar option. The -p now option isn't strictly necessary, as we'll see awk is only checking the first line of output, but it restricts last to show only users who are presently logged in.

The awk command just checks the first line, and if the third field isn't 0.0.0.0 it exits with an error. Since this is the last command in /tmp/test-pam, awk's exit code becomes the exit code for the script.

On my system, none of the tests you were trying in your deny-ssh-user.sh would work. If you put env > /tmp/test-pam.log at the top of your script, you'll see that the environment has been stripped, so none of your SSH_FOO variables will be set. And $PPID could point to any number of processes. For example, run perl -e 'system("sudo cat /etc/passwd")' and see that $PPID refers to the perl process.

This is Arch Linux, kernel 4.16.11-1-ARCH, in case it matters. I don't think it should, though.