From owner-freebsd-questions@FreeBSD.ORG Mon Apr 21 04:54:15 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D831637B401 for ; Mon, 21 Apr 2003 04:54:15 -0700 (PDT) Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A9D343FCB for ; Mon, 21 Apr 2003 04:54:14 -0700 (PDT) (envelope-from toomas.aas@raad.tartu.ee) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id h3LBs3107112; Mon, 21 Apr 2003 14:54:03 +0300 Message-Id: <200304211154.h3LBs3107112@lv.raad.tartu.ee> Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 21 Apr 03 14:54:00 +0300 Received: from SpoolDir by INFO (Mercury 1.48); 21 Apr 03 14:53:33 +0300 From: "Toomas Aas" Organization: Tartu City Government To: Matthew Seaman Date: Mon, 21 Apr 2003 14:53:28 +0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal In-reply-to: <20030421102316.GB30592@happy-idiot-talk.infracaninophi> References: <200304210820.h3L8KhC30223@lv.raad.tartu.ee> cc: freebsd-questions@freebsd.org Subject: Re: sshd: buffer_get trying to get more bytes than in buffer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 11:54:16 -0000 Hi! Matthew Seaman wrote: > On Mon, Apr 21, 2003 at 11:20:21AM +0300, Toomas Aas wrote: > > I've noticed that one of my users logging in via ssh from one particular IP > > always causes this message to appear in auth.log: > > > > Apr 20 15:43:18 heerold sshd[18766]: fatal: buffer_get: trying to get more bytes 4 than in buffer 0 > > > > The same user logs in from several different IP-s and the message only > > appears when he logs in from one particular IP. This leads me to believe > > that it might be just a quirk in the SSH client software he uses on this > > particular PC, but I just wanted to confirm that it's not actually an > > indication of Something Evil in progress. > > http://www.securityfocus.com/archive/121/261925/2002-03-08/2002-03-14/2 > > Looks like damage to the user's authorized_keys file: In this case it seems to be something else, because this user doesn't even have authorized_keys (nor authorized_keys2) files in ~/.ssh But thanks anyway. -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * I spilled spot remover on my dog. Now he's gone.