Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Jul 2010 20:33:03 -0700
From:      David Wolfskill <david@catwhisker.org>
To:        Glen Barber <glen.j.barber@gmail.com>
Cc:        stable@freebsd.org
Subject:   Re: sshd logging with key-only authentication
Message-ID:  <20100709033303.GU90096@albert.catwhisker.org>
In-Reply-To: <4C366257.8040201@gmail.com>
References:  <4C366257.8040201@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--uJNQuIR499bBFtzc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 08, 2010 at 07:42:15PM -0400, Glen Barber wrote:
> ...=20
> What caught my interest is if I attempt to log in from a machine where I=
=20
> do not have my key or an incorrect key, I see nothing logged in auth.log=
=20
> about a failed login attempt.  If I attempt with an invalid username, as=
=20
> expected, I see 'Invalid user ${USER} from ${IP}.'
>=20
> I'm more concerned with ssh login failures with valid user names.=20
> Looking at crypto/openssh/auth.c, allowed_user() returns true if the=20
> user is not in DenyUsers or DenyGroups, exists in AllowUsers or=20
> AllowGroups (if it is not empty), and has an executable shell.  I'm no C=
=20
> hacker, but superficially it looks like it can never meet a condition=20
> where the user is valid but the key is invalid to trigger a log entry.
>=20
> Is this a bug in openssh, or have I overlooked something in my=20
> configuration?

What I do is configure IPFW to log all attempted session-initiation packets
on 22/tcp, and correlate /var/log/auth.log & /var/log/security.

It's rather interesting to see how many entries show up in the latter
that have no corresponding entry in the former.

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--uJNQuIR499bBFtzc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (FreeBSD)

iEYEARECAAYFAkw2mG8ACgkQmprOCmdXAD00gQCdHh/PqQDbfIfuVNOgWHwy6Su2
TW8AnRw/vYPlwRyj04jupXe7OhZd6eoU
=EKMy
-----END PGP SIGNATURE-----

--uJNQuIR499bBFtzc--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100709033303.GU90096>