OpenSSH not logging denied public keys, even with logging set to verbose.
SSH Version: OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010 part of the config: compression yes maxauthtries 1 port 22 listenaddress 10.6.18.80 protocol 2 useprivilegeseparation yes syslogfacility AUTH loglevel VERBOSE logingracetime 30 permitrootlogin yes strictmodes yes rsaauthentication no publickeyauthentication yes authorizedkeysfile %h/.ssh/authorized_keys permitemptypasswords no passwordauthentication no x11forwarding no printlastlog yes tcpkeepalive yes acceptenv LANG LC_* usepam yes allowusers root git It seems like no matter what I try (even DEBUG3) it cannot get it to spit out publickey denied so that we can ban with our banning daemons. I am at a loss since I've tried everything that I can think of. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam5xqnzh5g0zotwwlhi5t2miit38jqhh_e66v84uexjmydl...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 6:31 AM, Taz taz.ins...@gmail.com wrote: rsaauthentication no change this to yes I'm at a loss, how is setting an option that does not even apply to us (since we use Protocol 2 and that option is moot for us anyways) going to fix a logging issue? Perhaps I need to be more explicit and I am sorry if I was too brief and didn't explain the situation very well. I am able to login with no problem using our keys, rsaauthentication is not the problem and never will be. The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=26YXWbeuA51X8cgpW=1cw13cg0oed4eaadk6duxk5...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120301205136.ga10...@master.debian.org
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. The chroot dosn't have a socket to log to... Have syslog listen on something like: /var/run/sshd/dev/log Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f4fe73d.7020...@mikemestnik.net
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
2012/3/1 Aníbal Monsalve Salazar ani...@debian.org: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=2yqynmr5m7xohrzuto_xsfiqrpvbb+xnkbiyghvnd...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. The chroot dosn't have a socket to log to... Have syslog listen on something like: /var/run/sshd/dev/log There is no chroot. I hope I didn't imply there was or is one. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=2ZuwRdbGCTdgB4Wr7TfDVhHQwh9BDbWVctOBRvhNp=q...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201203021157.47219.russ...@coker.com.au
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/12 18:23, Bedwell, Jordon wrote: On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote: On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote: The problem is I cannot get sshd to log publickey denied errors to /var/log/auth.log so our daemons can ban these users. I want to know what happened to messages like publickey denied for [user] from [ip] I cannot get it to log those messages at all no matter the logging level. The chroot dosn't have a socket to log to... Have syslog listen on something like: /var/run/sshd/dev/log There is no chroot. I hope I didn't imply there was or is one. Actually there is. sshd by default runs the key checking/testing and auth in a chroot. Thus even if it sends log messages(and it does) there is no where to send them and so the vanish... by default. I believe I've opened a bug about this. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f502d3b@mikemestnik.net
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/12 18:57, Russell Coker wrote: On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f502dff.1050...@mikemestnik.net
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Fri, 2 Mar 2012, Mike Mestnik che...@mikemestnik.net wrote: I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. As the person who edits ~/.ssh/authorized_keys can put whatever they like in that field the value isn't great globally. But in the scope of the one account it matters. For example if your account was compromised via a ssh authentication and you had three public keys listed it would be really convenient to know which of the three was used. While the second hostile login couldn't have any useful logging data if my suggestion was followed the first would. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201203021348.00806.russ...@coker.com.au
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/12 18:57, Russell Coker wrote: On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. I don't know if the chroot idea is legitimate or not, but i went ahead and started a logger in /run/sshd/dev/log and there were still no logs for publickey denied, and if this idea was actually for sure true, why would it show successful logins in the log and not unsuccessful logins in the log? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=0waxekp_rjvcb72d9subel35q_9mp1ue5pvqonmkc...@mail.gmail.com
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/12 21:00, Bedwell, Jordon wrote: On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/12 18:57, Russell Coker wrote: On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. I don't know if the chroot idea is legitimate or not, but i went ahead and started a logger in /run/sshd/dev/log and there were still no logs for publickey denied, and if this idea was actually for sure true, why would it show successful logins in the log and not unsuccessful logins in the log? I don't know the details, but I've done this and was then able to track down my kerberos issues. Unsuccessful logins might not ever leave the chroot, they exit there and then. Successful logins get a return somehow, likely via a pipe created earlier. It seams like this isn't working for you. That's when I start ssh on another port under an strace... strace -f sshd -p 222 Plus whatever other options. Then ssh to port 222 and get the log of what happens... This is how I originally discovered where I needed to place my syslog socket. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f503bab.9020...@mikemestnik.net
Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On 03/01/12 21:16, Mike Mestnik wrote: On 03/01/12 21:00, Bedwell, Jordon wrote: On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik che...@mikemestnik.net wrote: On 03/01/12 18:57, Russell Coker wrote: On Fri, 2 Mar 2012, Jordon Bedwell envyge...@gmail.com wrote: Run the command below. grep ssh:1.%.30s@%.128s.s password: /usr/sbin/sshd; echo $? If you don't get 1 as output, your sshd is compromised. It returned 1, this happens on freshly installed Debian and Ubuntu too though, tested it on Ubuntu too. http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like ssh key russ...@coker.com.au was used to login to account rjc in my logs. From what I know that information(the comment on the key) is not vary secure, Joe could put Bob as his comment... However one could so a look-up on the key from a key-server and get the email address that way. This is assuming that ppl are using there gpg(email) keys for ssh. I don't know if the chroot idea is legitimate or not, but i went ahead and started a logger in /run/sshd/dev/log and there were still no logs for publickey denied, and if this idea was actually for sure true, why would it show successful logins in the log and not unsuccessful logins in the log? I don't know the details, but I've done this and was then able to track down my kerberos issues. Unsuccessful logins might not ever leave the chroot, they exit there and then. Successful logins get a return somehow, likely via a pipe created earlier. It seams like this isn't working for you. That's when I start ssh on another port under an strace... strace -f sshd -p 222 Plus whatever other options. Then ssh to port 222 and get the log of what happens... This is how I originally discovered where I needed to place my syslog socket. This document says /var/empty, that would make it /var/empty/dev/log. Use strace to check where the chroot is or set the location in the sshd_config file, assuming there is an option for that. http://www.citi.umich.edu/u/provos/ssh/privsep.html -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f50407e.1060...@mikemestnik.net