Date: Thu, 08 Jul 2010 19:42:15 -0400 From: Glen Barber <glen.j.barber@gmail.com> To: stable@FreeBSD.org Subject: sshd logging with key-only authentication Message-ID: <4C366257.8040201@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
I've been seeing quite a bit of ssh bruteforce attacks which appear to
be dictionary-based. That's fine; I have proper measures in place, such
as key-only access, bruteforce tables for PF, and so on; though some of
the attacks are delaying login attempts, bypassing the bruteforce rules,
but that isn't the reason for this post.
What caught my interest is if I attempt to log in from a machine where I
do not have my key or an incorrect key, I see nothing logged in auth.log
about a failed login attempt. If I attempt with an invalid username, as
expected, I see 'Invalid user ${USER} from ${IP}.'
I'm more concerned with ssh login failures with valid user names.
Looking at crypto/openssh/auth.c, allowed_user() returns true if the
user is not in DenyUsers or DenyGroups, exists in AllowUsers or
AllowGroups (if it is not empty), and has an executable shell. I'm no C
hacker, but superficially it looks like it can never meet a condition
where the user is valid but the key is invalid to trigger a log entry.
Is this a bug in openssh, or have I overlooked something in my
configuration?
Regards,
--
Glen Barber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C366257.8040201>