Date: Fri, 14 Nov 2008 19:00:56 -0600 From: Steven Susbauer <stupendoussteve@hotmail.com> To: Lisa Casey <lisa@jellico.com> Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log Message-ID: <491E1F48.6070901@hotmail.com> In-Reply-To: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome> References: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Lisa Casey wrote: > Hi, > > I run several FreeBSD servers. Today I noticed an entry in the auth.log > on one of them that concerns me. The entry is this: > > Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for > michael from 89.123.165.3 po > rt 55185 ssh2 > > There is a user michael on the system, but whoever was doing this was > not him. > > I am assuming someone tried to break in using a valid username (michael) > but with an incorrect password. So I just conducted an experiment to see > if I could replicate that log entry using another valid username: mandy. > I ssh'ed into the server, gave mandy as the username with an incorrect > password. The auth.log entry for that attempt is this: > > Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from > 72.155.127.223 port 51919 ssh2 > > and when I used something called keyboard interactive as the primary > authentication method in my ssh client, I get this: > > sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 > > Nothing about Accepted keyboard-interactive/pam. What does Accepted > keyboard-interactive/pam mean? > > Also, in my ssh client, for authentication methods I have a choice of > password, publickey or keyboard interactive. I've always used password, > and never even noticed that keyboard interactive before. What is that? > > Thanks, > > Lisa Casey > Keyboard-interactive includes when the server sends requests such as "Password:" to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh steve@thinkpad steve@thinkpad's password: Try doing similar with the correct password and I bet you will see the "Accepted/keyboard-interactive", it may be possible that michael's password is no longer secure. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkeH0sACgkQ2i3YYzbDt08I9wCbBTfguxsM5LQ/q6sC9dsyiwiX 3xYAoMi0xELbtiFhBkEcggQKFa44SXpB =Vigt -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491E1F48.6070901>