Date: Fri, 18 Oct 2019 10:28:19 -0400 From: Matt Garber <matt.garber@gmail.com> To: mike tancsa <mike@sentex.net> Cc: freebsd-stable@freebsd.org Subject: Re: SSH error messages (bug id=234793) ) RELENG_12 Message-ID: <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com> In-Reply-To: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net> References: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Does anyone know what the cause is of this fail message ? >=20 > (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234793) >=20 > its triggered by a normal ssh key'd login, but sshd is running with > VERBOSE logging.=20 >=20 > sshd[63290]: Failed unknown for testuser1 from 192.168.xx.yyy port > 60643 ssh2 ? >=20 > The user is able to login no problem, but the error message is = bubbling > up in our HIDS. We had to white list it, but it would be useful to > understand exactly why and what is failing. >=20 > =E2=80=94Mike It=E2=80=99s one of the other SSH authentication types (e.g., GSSAPI, = password, etc.) which is in the processing order before public key. = I=E2=80=99m assuming you=E2=80=99re seeing that =E2=80=98failure=E2=80=99 = immediately before your successful key authentication in auth.log; I = actually had to switch back to INFO for logging because that = =E2=80=98failure=E2=80=99 trips up sshguard which kicks in and blocks = the IP despite the public key auth succeeding right after whichever = other auth type is tried and fails. (Unfortunately, I wasn=E2=80=99t able to determine which specific other = authentication type was being tried first, since moving logging back to = INFO resolved my immediate issue of getting blocked by sshguard before = successfully processing my key.) Thanks, -- Matt Garber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?246561E5-9E57-4CC2-B94C-4CE8C553D972>