Date: Fri, 09 Jul 2010 08:19:08 -0400 From: Glen Barber <glen.j.barber@gmail.com> To: David Adam <zanchey@ucc.gu.uwa.edu.au> Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication Message-ID: <4C3713BC.2050603@gmail.com> In-Reply-To: <alpine.DEB.1.10.1007091052070.23399@martello.ucc.gu.uwa.edu.au> References: <4C366257.8040201@gmail.com> <alpine.DEB.1.10.1007091017040.23399@martello.ucc.gu.uwa.edu.au> <4C368983.4040100@gmail.com> <alpine.DEB.1.10.1007091052070.23399@martello.ucc.gu.uwa.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/8/10 11:13 PM, David Adam wrote:
> On Thu, 8 Jul 2010, Glen Barber wrote:
>
>> On 7/8/10 10:24 PM, David Adam wrote:
>>> On Thu, 8 Jul 2010, Glen Barber wrote:
>>>> What caught my interest is if I attempt to log in from a machine
>>>> where I do not have my key or an incorrect key, I see nothing logged
>>>> in auth.log about a failed login attempt. If I attempt with an
>>>> invalid username, as expected, I see 'Invalid user ${USER} from
>>>> ${IP}.'
>>>>
>>>> I'm more concerned with ssh login failures with valid user names.
>>>> Looking at crypto/openssh/auth.c, allowed_user() returns true if the
>>>> user is not in DenyUsers or DenyGroups, exists in AllowUsers or
>>>> AllowGroups (if it is not empty), and has an executable shell. I'm
>>>> no C hacker, but superficially it looks like it can never meet a
>>>> condition where the user is valid but the key is invalid to trigger
>>>> a log entry.
>>>>
>>>> Is this a bug in openssh, or have I overlooked something in my
>>>> configuration?
>>>
>>> With LogLevel VERBOSE, you should get entries like
>>> sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
>>>
>>> Is that what you're after?
>>
>> Sort of, but do I really need to set verbose logging to find that valid users
>> are used in SSH attacks? root is an obvious target, which in my scenario is
>> not allowed. I'm concerned about more specific, allowed users.
>
> It's just an example I pulled out of the logs. You won't get that message
> for users listed in DenyUsers, although you will get spaff if the denied
> user attempts password authentication.
>
Right. Though, password authentication is not allowed, which brings me
back to my original point.
> To me, verbose SSH logging doesn't seem like too big a burden,
It does to me, especially if, by default, sshd does not log failed
logins from valid users. I believe *that* should be default.
> particularly if coupled with tools like sshit/sshdeny or logwatch. I
> encourage you to experiment; you could even try patching sshd to emit the
> relevant log lines at a lower debug level if you want.
>
I am fully aware of these utilities. They don't address the real
problem, however. Logwatch, in this scenario, is useless unless verbose
logging is enabled for sshd, which I believe should not be necessary.
Regards,
--
Glen Barber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C3713BC.2050603>