From owner-freebsd-stable@FreeBSD.ORG Fri Jul 9 02:29:37 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5450106564A for ; Fri, 9 Jul 2010 02:29:37 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 543C18FC20 for ; Fri, 9 Jul 2010 02:29:37 +0000 (UTC) Received: by vws6 with SMTP id 6so2350784vws.13 for ; Thu, 08 Jul 2010 19:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=z/ezla9ztocbI8sBFNiYNyGQaV3gQnPaOWktKJvDOtg=; b=grA9/WccDw6Xcx67rDMJsToviGPovWeHvOkkh2UOaVKBUk6fat3yTnIFcXU9fjgE4j I4fvqunMFtTXiZeC8Kj++yyDNk7atPjpukl5Rzow7w1tPXZdaQqQwGK+ecSZrgJAiEu+ tul9T7FNIQVkj8wCTS1FYis4NMHXtTxJrwYII= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=Wmq9+vb2xzLlAfKGhIpHmWMGYsXP3BXWJPCu4k9hju8WOmzcPUAgCQGb2f06+WVr0s Y7JVd/MUrjmrvSEoiMUnHnwZTfhdcSSPNy7v58ov68hOQ/KC0k9htVdwB3dNxxt8cmz/ qnhTDNGeiPaTOdvNg1WE1BS13v4m6mBrGuaDU= Received: by 10.220.126.166 with SMTP id c38mr4794082vcs.192.1278642567538; Thu, 08 Jul 2010 19:29:27 -0700 (PDT) Received: from schism.local (c-71-230-240-241.hsd1.pa.comcast.net [71.230.240.241]) by mx.google.com with ESMTPS id e20sm445157vcm.16.2010.07.08.19.29.24 (version=SSLv3 cipher=RC4-MD5); Thu, 08 Jul 2010 19:29:25 -0700 (PDT) Message-ID: <4C368983.4040100@gmail.com> Date: Thu, 08 Jul 2010 22:29:23 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: David Adam References: <4C366257.8040201@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 02:29:37 -0000 On 7/8/10 10:24 PM, David Adam wrote: > On Thu, 8 Jul 2010, Glen Barber wrote: >> I've been seeing quite a bit of ssh bruteforce attacks which appear to be >> dictionary-based. That's fine; I have proper measures in place, such as >> key-only access, bruteforce tables for PF, and so on; though some of the >> attacks are delaying login attempts, bypassing the bruteforce rules, but that >> isn't the reason for this post. >> >> What caught my interest is if I attempt to log in from a machine where I do >> not have my key or an incorrect key, I see nothing logged in auth.log about a >> failed login attempt. If I attempt with an invalid username, as expected, I >> see 'Invalid user ${USER} from ${IP}.' >> >> I'm more concerned with ssh login failures with valid user names. Looking at >> crypto/openssh/auth.c, allowed_user() returns true if the user is not in >> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not >> empty), and has an executable shell. I'm no C hacker, but superficially it >> looks like it can never meet a condition where the user is valid but the key >> is invalid to trigger a log entry. >> >> Is this a bug in openssh, or have I overlooked something in my configuration? > > With LogLevel VERBOSE, you should get entries like > sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 > > Is that what you're after? > Sort of, but do I really need to set verbose logging to find that valid users are used in SSH attacks? root is an obvious target, which in my scenario is not allowed. I'm concerned about more specific, allowed users. Regards, -- Glen Barber