Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Jul 2010 20:33:03 -0700
From:      David Wolfskill <david@catwhisker.org>
To:        Glen Barber <glen.j.barber@gmail.com>
Cc:        stable@freebsd.org
Subject:   Re: sshd logging with key-only authentication
Message-ID:  <20100709033303.GU90096@albert.catwhisker.org>
In-Reply-To: <4C366257.8040201@gmail.com>
References:  <4C366257.8040201@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Thu, Jul 08, 2010 at 07:42:15PM -0400, Glen Barber wrote:
> ... 
> What caught my interest is if I attempt to log in from a machine where I 
> do not have my key or an incorrect key, I see nothing logged in auth.log 
> about a failed login attempt.  If I attempt with an invalid username, as 
> expected, I see 'Invalid user ${USER} from ${IP}.'
> 
> I'm more concerned with ssh login failures with valid user names. 
> Looking at crypto/openssh/auth.c, allowed_user() returns true if the 
> user is not in DenyUsers or DenyGroups, exists in AllowUsers or 
> AllowGroups (if it is not empty), and has an executable shell.  I'm no C 
> hacker, but superficially it looks like it can never meet a condition 
> where the user is valid but the key is invalid to trigger a log entry.
> 
> Is this a bug in openssh, or have I overlooked something in my 
> configuration?

What I do is configure IPFW to log all attempted session-initiation packets
on 22/tcp, and correlate /var/log/auth.log & /var/log/security.

It's rather interesting to see how many entries show up in the latter
that have no corresponding entry in the former.

Peace,
david
-- 
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (FreeBSD)

iEYEARECAAYFAkw2mG8ACgkQmprOCmdXAD00gQCdHh/PqQDbfIfuVNOgWHwy6Su2
TW8AnRw/vYPlwRyj04jupXe7OhZd6eoU
=EKMy
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100709033303.GU90096>