From owner-freebsd-stable@FreeBSD.ORG Fri Jul 9 02:34:57 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 151E9106566C for ; Fri, 9 Jul 2010 02:34:57 +0000 (UTC) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from mail-ext-out2.uwa.edu.au (mail-ext-out2.uwa.edu.au [130.95.3.211]) by mx1.freebsd.org (Postfix) with ESMTP id 82A998FC17 for ; Fri, 9 Jul 2010 02:34:56 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAB4lNkyCX4DX/2dsb2JhbAChJrc8iF4FgnkBgiuDew X-IronPort-AV: E=Sophos;i="4.53,561,1272816000"; d="scan'208";a="30801220" Received: from f5-float.net.uwa.edu.au (HELO mooneye.ucc.gu.uwa.edu.au) ([130.95.128.215]) by mail-ext-out2.uwa.edu.au with ESMTP/TLS/ADH-AES256-SHA; 09 Jul 2010 10:24:42 +0800 Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) id A33CD38643; Fri, 9 Jul 2010 10:24:42 +0800 (WST) Received: from martello.ucc.gu.uwa.edu.au (martello.ucc.gu.uwa.edu.au [130.95.13.23]) by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id 7CF743809E; Fri, 9 Jul 2010 10:24:42 +0800 (WST) DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ucc.gu.uwa.edu.au; s=2009-536; t=1278642282; bh=KtJt4EEqRvbjB2gXwRoFjOVs7gA=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=u/aHQZaSWUOT9VtvM8ZAJHfc9s0MtBpwB/8+xnv8T8UI4GPlszqPSlhD3xCuu7e3D otsVh0fAkAuRT4s5aACkTTAKA== Received: by martello.ucc.gu.uwa.edu.au (Postfix, from userid 11251) id 538046C099; Fri, 9 Jul 2010 10:24:42 +0800 (WST) Received: from localhost (localhost [127.0.0.1]) by martello.ucc.gu.uwa.edu.au (Postfix) with ESMTP id 43A636C08A; Fri, 9 Jul 2010 10:24:42 +0800 (WST) Date: Fri, 9 Jul 2010 10:24:42 +0800 (WST) From: David Adam To: Glen Barber In-Reply-To: <4C366257.8040201@gmail.com> Message-ID: References: <4C366257.8040201@gmail.com> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 02:34:57 -0000 On Thu, 8 Jul 2010, Glen Barber wrote: > I've been seeing quite a bit of ssh bruteforce attacks which appear to be > dictionary-based. That's fine; I have proper measures in place, such as > key-only access, bruteforce tables for PF, and so on; though some of the > attacks are delaying login attempts, bypassing the bruteforce rules, but that > isn't the reason for this post. > > What caught my interest is if I attempt to log in from a machine where I do > not have my key or an incorrect key, I see nothing logged in auth.log about a > failed login attempt. If I attempt with an invalid username, as expected, I > see 'Invalid user ${USER} from ${IP}.' > > I'm more concerned with ssh login failures with valid user names. Looking at > crypto/openssh/auth.c, allowed_user() returns true if the user is not in > DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not > empty), and has an executable shell. I'm no C hacker, but superficially it > looks like it can never meet a condition where the user is valid but the key > is invalid to trigger a log entry. > > Is this a bug in openssh, or have I overlooked something in my configuration? With LogLevel VERBOSE, you should get entries like sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 Is that what you're after? David Adam zanchey@ucc.gu.uwa.edu.au