From owner-freebsd-stable@FreeBSD.ORG Fri Jul 9 12:19:24 2010 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 323F9106564A for ; Fri, 9 Jul 2010 12:19:24 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id D4CBA8FC0C for ; Fri, 9 Jul 2010 12:19:23 +0000 (UTC) Received: by vws6 with SMTP id 6so3053097vws.13 for ; Fri, 09 Jul 2010 05:19:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=vrGnbbc8tc5+RcVsb44fGtgB7hAAWfRlpUHs/klTa3A=; b=dvaPWvxQAnpIcV9E/9RNOP8uR3T6kzczB11cvUHTTl0//Bu4/Itkiqw7pbv6JuHvsN y57xzNnL11Bm5Zkq8vwbc0ZZ+zV81Y9NtpfB3YTq6eY4YsDcvENi+x+/TXD+y4Zyjmn7 N8y3cg1bfixeqBRhSlZmEHHWj/Llrd2wZT2CM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=gMTeMvNx45zcWnymgVBST9IK+a/0vrVeWgo1j2nGTHy5G3+TLMj38YsxXdb1yJt7pi xcO678K3QEcZtT6TNkLKTAz6LqMM9B+AC8yCYU2F+IQ99GFA06RGrJm+yP3uJ804mXsv qIb/QfdAK0+iWnPSFKI7yDltxWmRd6oO1wNEo= Received: by 10.220.121.144 with SMTP id h16mr5156937vcr.19.1278677951074; Fri, 09 Jul 2010 05:19:11 -0700 (PDT) Received: from schism.local (173-161-130-225-Philadelphia.hfc.comcastbusiness.net [173.161.130.225]) by mx.google.com with ESMTPS id b5sm934784vcy.33.2010.07.09.05.19.08 (version=SSLv3 cipher=RC4-MD5); Fri, 09 Jul 2010 05:19:09 -0700 (PDT) Message-ID: <4C3713BC.2050603@gmail.com> Date: Fri, 09 Jul 2010 08:19:08 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: David Adam References: <4C366257.8040201@gmail.com> <4C368983.4040100@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jul 2010 12:19:24 -0000 On 7/8/10 11:13 PM, David Adam wrote: > On Thu, 8 Jul 2010, Glen Barber wrote: > >> On 7/8/10 10:24 PM, David Adam wrote: >>> On Thu, 8 Jul 2010, Glen Barber wrote: >>>> What caught my interest is if I attempt to log in from a machine >>>> where I do not have my key or an incorrect key, I see nothing logged >>>> in auth.log about a failed login attempt. If I attempt with an >>>> invalid username, as expected, I see 'Invalid user ${USER} from >>>> ${IP}.' >>>> >>>> I'm more concerned with ssh login failures with valid user names. >>>> Looking at crypto/openssh/auth.c, allowed_user() returns true if the >>>> user is not in DenyUsers or DenyGroups, exists in AllowUsers or >>>> AllowGroups (if it is not empty), and has an executable shell. I'm >>>> no C hacker, but superficially it looks like it can never meet a >>>> condition where the user is valid but the key is invalid to trigger >>>> a log entry. >>>> >>>> Is this a bug in openssh, or have I overlooked something in my >>>> configuration? >>> >>> With LogLevel VERBOSE, you should get entries like >>> sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2 >>> >>> Is that what you're after? >> >> Sort of, but do I really need to set verbose logging to find that valid users >> are used in SSH attacks? root is an obvious target, which in my scenario is >> not allowed. I'm concerned about more specific, allowed users. > > It's just an example I pulled out of the logs. You won't get that message > for users listed in DenyUsers, although you will get spaff if the denied > user attempts password authentication. > Right. Though, password authentication is not allowed, which brings me back to my original point. > To me, verbose SSH logging doesn't seem like too big a burden, It does to me, especially if, by default, sshd does not log failed logins from valid users. I believe *that* should be default. > particularly if coupled with tools like sshit/sshdeny or logwatch. I > encourage you to experiment; you could even try patching sshd to emit the > relevant log lines at a lower debug level if you want. > I am fully aware of these utilities. They don't address the real problem, however. Logwatch, in this scenario, is useless unless verbose logging is enabled for sshd, which I believe should not be necessary. Regards, -- Glen Barber