From owner-freebsd-stable@FreeBSD.ORG Fri Jul 9 03:13:29 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCB17106566C for ; Fri, 9 Jul 2010 03:13:29 +0000 (UTC) (envelope-from zanchey@ucc.gu.uwa.edu.au) Received: from mail-ext-out2.uwa.edu.au (mail-ext-out2.uwa.edu.au [130.95.3.211]) by mx1.freebsd.org (Postfix) with ESMTP id 34FBF8FC25 for ; Fri, 9 Jul 2010 03:13:28 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEANYwNkyCX4DX/2dsb2JhbAChJ7cUiF4FgnkBBIIng3s X-IronPort-AV: E=Sophos;i="4.53,562,1272816000"; d="scan'208";a="30808425" Received: from f5-float.net.uwa.edu.au (HELO mooneye.ucc.gu.uwa.edu.au) ([130.95.128.215]) by mail-ext-out2.uwa.edu.au with ESMTP/TLS/ADH-AES256-SHA; 09 Jul 2010 11:13:27 +0800 Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) id 1DA8138643; Fri, 9 Jul 2010 11:13:27 +0800 (WST) Received: from martello.ucc.gu.uwa.edu.au (martello.ucc.gu.uwa.edu.au [130.95.13.23]) by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id ECFCE3809E; Fri, 9 Jul 2010 11:13:26 +0800 (WST) DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ucc.gu.uwa.edu.au; s=2009-536; t=1278645206; bh=zjC5zH6gxvVfi+ys2WDjnDJU6Bw=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=KOQ2kjenEv+GWHNUfWmkebHjywEk0KgOsqilMMi7Ijp7iD8vdvM9qT6proTIR2vBc NC7oU1cRW2mAOplAQGILgOZXQ== Received: by martello.ucc.gu.uwa.edu.au (Postfix, from userid 11251) id CD71D6C099; Fri, 9 Jul 2010 11:13:26 +0800 (WST) Received: from localhost (localhost [127.0.0.1]) by martello.ucc.gu.uwa.edu.au (Postfix) with ESMTP id C9FE66C096; Fri, 9 Jul 2010 11:13:26 +0800 (WST) Date: Fri, 9 Jul 2010 11:13:26 +0800 (WST) From: David Adam To: Glen Barber In-Reply-To: <4C368983.4040100@gmail.com> Message-ID: References: <4C366257.8040201@gmail.com> <4C368983.4040100@gmail.com> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 03:13:29 -0000 On Thu, 8 Jul 2010, Glen Barber wrote: > On 7/8/10 10:24 PM, David Adam wrote: > > On Thu, 8 Jul 2010, Glen Barber wrote: > > > What caught my interest is if I attempt to log in from a machine > > > where I do not have my key or an incorrect key, I see nothing logged > > > in auth.log about a failed login attempt. If I attempt with an > > > invalid username, as expected, I see 'Invalid user ${USER} from > > > ${IP}.' > > > > > > I'm more concerned with ssh login failures with valid user names. > > > Looking at crypto/openssh/auth.c, allowed_user() returns true if the > > > user is not in DenyUsers or DenyGroups, exists in AllowUsers or > > > AllowGroups (if it is not empty), and has an executable shell. I'm > > > no C hacker, but superficially it looks like it can never meet a > > > condition where the user is valid but the key is invalid to trigger > > > a log entry. > > > > > > Is this a bug in openssh, or have I overlooked something in my > > > configuration? > > > > With LogLevel VERBOSE, you should get entries like > > sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 > > > > Is that what you're after? > > Sort of, but do I really need to set verbose logging to find that valid users > are used in SSH attacks? root is an obvious target, which in my scenario is > not allowed. I'm concerned about more specific, allowed users. It's just an example I pulled out of the logs. You won't get that message for users listed in DenyUsers, although you will get spaff if the denied user attempts password authentication. To me, verbose SSH logging doesn't seem like too big a burden, particularly if coupled with tools like sshit/sshdeny or logwatch. I encourage you to experiment; you could even try patching sshd to emit the relevant log lines at a lower debug level if you want. David Adam UCC Wheel Group zanchey@ucc.gu.uwa.edu.au