From owner-freebsd-stable@FreeBSD.ORG Thu Jul 8 23:42:26 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C90E106566B for ; Thu, 8 Jul 2010 23:42:26 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id D15418FC08 for ; Thu, 8 Jul 2010 23:42:25 +0000 (UTC) Received: by vws6 with SMTP id 6so2150139vws.13 for ; Thu, 08 Jul 2010 16:42:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=1SnnMe1Tpi+gx0DuW3ozhG2hS1FAM62DYAo5bhn/B2Q=; b=fLXD2y6UyJ0R+FaM7l5fMklV1u1+LDOrcydL0fp++l/6XC0caRY2h/V2DLhLKg3nWI xlsXv9eaTSa6PBasbUWjkbOV9p3a9izFIMjENuZjRtx9cEQifqB2qRnz/ZOJ8MVkegvY KBuBuhbiCY9bsy55FFnb63Utsy67NIbnxsygk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=X20FK012F5YoG97UXWTneOIGZfbFSWaokSAnZJL4wIGpU6bHfST/8HdyscEBVBT51c 4XIknEe+b0VjId03irXkED/jQlBaT3+YJzugISYdoFCV2Fi0H4mEVJC4iDSleMdwGZZy T5MG1yDxR1H2Bz9maTDHlwnVHeHYYmBfBuHzo= Received: by 10.220.167.133 with SMTP id q5mr4778016vcy.114.1278632538539; Thu, 08 Jul 2010 16:42:18 -0700 (PDT) Received: from schism.local (c-71-230-240-241.hsd1.pa.comcast.net [71.230.240.241]) by mx.google.com with ESMTPS id k10sm294299vcj.19.2010.07.08.16.42.16 (version=SSLv3 cipher=RC4-MD5); Thu, 08 Jul 2010 16:42:16 -0700 (PDT) Message-ID: <4C366257.8040201@gmail.com> Date: Thu, 08 Jul 2010 19:42:15 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: stable@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jul 2010 23:42:26 -0000 Hi, I've been seeing quite a bit of ssh bruteforce attacks which appear to be dictionary-based. That's fine; I have proper measures in place, such as key-only access, bruteforce tables for PF, and so on; though some of the attacks are delaying login attempts, bypassing the bruteforce rules, but that isn't the reason for this post. What caught my interest is if I attempt to log in from a machine where I do not have my key or an incorrect key, I see nothing logged in auth.log about a failed login attempt. If I attempt with an invalid username, as expected, I see 'Invalid user ${USER} from ${IP}.' I'm more concerned with ssh login failures with valid user names. Looking at crypto/openssh/auth.c, allowed_user() returns true if the user is not in DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not empty), and has an executable shell. I'm no C hacker, but superficially it looks like it can never meet a condition where the user is valid but the key is invalid to trigger a log entry. Is this a bug in openssh, or have I overlooked something in my configuration? Regards, -- Glen Barber