From owner-freebsd-stable@freebsd.org Fri Oct 18 14:28:24 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 08AEF15256A for ; Fri, 18 Oct 2019 14:28:24 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46vpKz0KT9z4dPF for ; Fri, 18 Oct 2019 14:28:22 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: by mail-qt1-x82e.google.com with SMTP id 3so9391578qta.1 for ; Fri, 18 Oct 2019 07:28:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=JYkQFSAocpGfc2vR7nvmTlD9Na9k/5BRNjbjlHdwdw4=; b=cYeEeGSgo/uNDLxUeMnXyks1Wog737FOKrU9o61ubEdFcODX5nxbqalqGek+iHWtRI ngF65SWWmwYpoSqskRtoZ1s9UVrRMnN+QJcpmsDKJ2YG+7vGFfmOdZjJ0Z8Di2IM/UQe spT7Lr3bSH4+9i0R3ATwvSNRQP7afRSHPHmP84Q4KpWwnGnPVKVqsi70Zd1OYhD0LENA K/NhCefcLkoyckVzlkWiHlOuvDsaCdW6CW1pCh2GGgWuh0G4MMhNZ3AP8XfXpJJStMRd UgtSk+EGzBWGJR2Fk++FjlaiteG3BC91g5YDEM0lnMsASvnDIGT3rWATRNYtElX56SNN NLEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=JYkQFSAocpGfc2vR7nvmTlD9Na9k/5BRNjbjlHdwdw4=; b=HhqBTBdScZBsR5OdMEsgOISWny5EvRccwKiPKK0NrXVngqTpnXsLAiSlx5KHs8ARdP V9JxVUS+/MtWYx/TTSu2ZsczSiui0xmPAIqdKwp0681rcaqmYkFkram37i09lRtp0s77 G2FIkhBNkzoksJngOHhSAcQ/D8ORD9x9DXJOcPsO+/ugpoNtSAaWdJCAmfq1CTx7We9t zUcEn+GqgbNxmtHail78ooWuxAwcFVpgTV3z0k8/nTeaCOs4625HLhmgb9/a7VqoZLM4 NzmGSWjd5GTlIiIPApM24BmvwtIkWRcXksjoCA2t5f61qptjaZj9u/9Z5u6HZ7r9tPQp tOnw== X-Gm-Message-State: APjAAAVbOJdNZRZpqEeGMbup4ii3HnugeOL7rXaUXB9z26yLzsS3IgLa jgo1VL9F0BKN2U/pHQdfwco= X-Google-Smtp-Source: APXvYqydQCyRprw/XcHK3SyVDCZs9QZ78v6GBFnwHcDgwXvKFfs5f28je6z2QXOZj39wiTPiBXtPmg== X-Received: by 2002:ac8:1c5a:: with SMTP id j26mr6647289qtk.351.1571408901953; Fri, 18 Oct 2019 07:28:21 -0700 (PDT) Received: from [10.100.20.3] ([68.183.62.201]) by smtp.gmail.com with ESMTPSA id v139sm2979930qkb.53.2019.10.18.07.28.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Oct 2019 07:28:20 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: SSH error messages (bug id=234793) ) RELENG_12 From: Matt Garber In-Reply-To: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net> Date: Fri, 18 Oct 2019 10:28:19 -0400 Cc: freebsd-stable@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com> References: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 46vpKz0KT9z4dPF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cYeEeGSg; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of mattgarber@gmail.com designates 2607:f8b0:4864:20::82e as permitted sender) smtp.mailfrom=mattgarber@gmail.com X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.30), ipnet: 2607:f8b0::/32(-2.46), asn: 15169(-2.09), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[e.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2019 14:28:24 -0000 > Does anyone know what the cause is of this fail message ? >=20 > (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234793) >=20 > its triggered by a normal ssh key'd login, but sshd is running with > VERBOSE logging.=20 >=20 > sshd[63290]: Failed unknown for testuser1 from 192.168.xx.yyy port > 60643 ssh2 ? >=20 > The user is able to login no problem, but the error message is = bubbling > up in our HIDS. We had to white list it, but it would be useful to > understand exactly why and what is failing. >=20 > =E2=80=94Mike It=E2=80=99s one of the other SSH authentication types (e.g., GSSAPI, = password, etc.) which is in the processing order before public key. = I=E2=80=99m assuming you=E2=80=99re seeing that =E2=80=98failure=E2=80=99 = immediately before your successful key authentication in auth.log; I = actually had to switch back to INFO for logging because that = =E2=80=98failure=E2=80=99 trips up sshguard which kicks in and blocks = the IP despite the public key auth succeeding right after whichever = other auth type is tried and fails. (Unfortunately, I wasn=E2=80=99t able to determine which specific other = authentication type was being tried first, since moving logging back to = INFO resolved my immediate issue of getting blocked by sshguard before = successfully processing my key.) Thanks, -- Matt Garber