From owner-freebsd-stable@FreeBSD.ORG Fri Jul 9 04:09:38 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFAB6106564A for ; Fri, 9 Jul 2010 04:09:38 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73]) by mx1.freebsd.org (Postfix) with ESMTP id 8C2D38FC19 for ; Fri, 9 Jul 2010 04:09:37 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.4/8.14.4) with ESMTP id o693X5WT000269; Thu, 8 Jul 2010 20:33:05 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.4/8.14.4/Submit) id o693X3jP000268; Thu, 8 Jul 2010 20:33:03 -0700 (PDT) (envelope-from david) Date: Thu, 8 Jul 2010 20:33:03 -0700 From: David Wolfskill To: Glen Barber Message-ID: <20100709033303.GU90096@albert.catwhisker.org> Mail-Followup-To: David Wolfskill , Glen Barber , stable@freebsd.org References: <4C366257.8040201@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uJNQuIR499bBFtzc" Content-Disposition: inline In-Reply-To: <4C366257.8040201@gmail.com> User-Agent: Mutt/1.4.2.3i Cc: stable@freebsd.org Subject: Re: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 04:09:39 -0000 --uJNQuIR499bBFtzc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 08, 2010 at 07:42:15PM -0400, Glen Barber wrote: > ...=20 > What caught my interest is if I attempt to log in from a machine where I= =20 > do not have my key or an incorrect key, I see nothing logged in auth.log= =20 > about a failed login attempt. If I attempt with an invalid username, as= =20 > expected, I see 'Invalid user ${USER} from ${IP}.' >=20 > I'm more concerned with ssh login failures with valid user names.=20 > Looking at crypto/openssh/auth.c, allowed_user() returns true if the=20 > user is not in DenyUsers or DenyGroups, exists in AllowUsers or=20 > AllowGroups (if it is not empty), and has an executable shell. I'm no C= =20 > hacker, but superficially it looks like it can never meet a condition=20 > where the user is valid but the key is invalid to trigger a log entry. >=20 > Is this a bug in openssh, or have I overlooked something in my=20 > configuration? What I do is configure IPFW to log all attempted session-initiation packets on 22/tcp, and correlate /var/log/auth.log & /var/log/security. It's rather interesting to see how many entries show up in the latter that have no corresponding entry in the former. Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --uJNQuIR499bBFtzc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iEYEARECAAYFAkw2mG8ACgkQmprOCmdXAD00gQCdHh/PqQDbfIfuVNOgWHwy6Su2 TW8AnRw/vYPlwRyj04jupXe7OhZd6eoU =EKMy -----END PGP SIGNATURE----- --uJNQuIR499bBFtzc--