On 03/01/12 21:16, Mike Mestnik wrote: > On 03/01/12 21:00, Bedwell, Jordon wrote: >> On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik <che...@mikemestnik.net> wrote: >>> On 03/01/12 18:57, Russell Coker wrote: >>>> On Fri, 2 Mar 2012, Jordon Bedwell <envyge...@gmail.com> wrote: >>>>>> Run the command below. >>>>>> >>>>>> grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $? >>>>>> >>>>>> If you don't get 1 as output, your sshd is compromised. >>>>> It returned 1, this happens on freshly installed Debian and Ubuntu too >>>>> though, tested it on Ubuntu too. >>>> http://etbe.coker.com.au/2011/12/31/server-cracked/ >>>> >>>> If you havd a sshd that is compromised in the same way as one was on one >>>> of my >>>> servers then Anibal's command will give an output of 0. >>>> >>>> I don't know what relevance this has to a discussion of OpenSSH logging >>>> though. >>>> >>>> I'd like to have OpenSSH log the email address field from a key that was >>>> used >>>> for login so I could see something like "ssh key russ...@coker.com.au was >>>> used >>>> to login to account rjc" in my logs. >>>> >>> >From what I know that information(the comment on the key) is not vary >>> secure, Joe could put Bob as his comment... >>> >>> However one could so a look-up on the key from a key-server and get the >>> email address that way. This is assuming that ppl are using there >>> gpg(email) keys for ssh. >> I don't know if the chroot idea is legitimate or not, but i went ahead >> and started a logger in /run/sshd/dev/log and there were still no logs >> for publickey denied, and if this idea was actually for sure true, why >> would it show successful logins in the log and not unsuccessful logins >> in the log? >> > I don't know the details, but I've done this and was then able to track > down my kerberos issues. Unsuccessful logins might not ever leave the > chroot, they exit there and then. Successful logins get a return > somehow, likely via a pipe created earlier. > > It seams like this isn't working for you. That's when I start ssh on > another port under an strace... > > strace -f sshd -p 222 > > Plus whatever other options. Then ssh to port 222 and get the log of > what happens... This is how I originally discovered where I needed to > place my syslog socket.
This document says /var/empty, that would make it /var/empty/dev/log. Use strace to check where the chroot is or set the location in the sshd_config file, assuming there is an option for that. http://www.citi.umich.edu/u/provos/ssh/privsep.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f50407e.1060...@mikemestnik.net