Re: sshd logging with key-only authentication

Fri, 09 Jul 2010 05:20:19 -0700 

On 7/8/10 11:13 PM, David Adam wrote:

On Thu, 8 Jul 2010, Glen Barber wrote:


On 7/8/10 10:24 PM, David Adam wrote:

On Thu, 8 Jul 2010, Glen Barber wrote:

What caught my interest is if I attempt to log in from a machine
where I do not have my key or an incorrect key, I see nothing logged
in auth.log about a failed login attempt.  If I attempt with an
invalid username, as expected, I see 'Invalid user ${USER} from
${IP}.'

I'm more concerned with ssh login failures with valid user names.
Looking at crypto/openssh/auth.c, allowed_user() returns true if the
user is not in DenyUsers or DenyGroups, exists in AllowUsers or
AllowGroups (if it is not empty), and has an executable shell.  I'm
no C hacker, but superficially it looks like it can never meet a
condition where the user is valid but the key is invalid to trigger
a log entry.

Is this a bug in openssh, or have I overlooked something in my
configuration?


With LogLevel VERBOSE, you should get entries like
sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2

Is that what you're after?


Sort of, but do I really need to set verbose logging to find that valid users
are used in SSH attacks?  root is an obvious target, which in my scenario is
not allowed.  I'm concerned about more specific, allowed users.


It's just an example I pulled out of the logs. You won't get that message
for users listed in DenyUsers, although you will get spaff if the denied
user attempts password authentication.
Right. Though, password authentication is not allowed, which brings me back to my original point. 


To me, verbose SSH logging doesn't seem like too big a burden,
It does to me, especially if, by default, sshd does not log failed logins from valid users. I believe *that* should be default. 


particularly if coupled with tools like sshit/sshdeny or logwatch. I
encourage you to experiment; you could even try patching sshd to emit the
relevant log lines at a lower debug level if you want.
I am fully aware of these utilities. They don't address the real problem, however. Logwatch, in this scenario, is useless unless verbose logging is enabled for sshd, which I believe should not be necessary. 

Regards,

--
Glen Barber
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to