From owner-freebsd-stable@freebsd.org Fri Oct 18 14:36:13 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A209C15289D for ; Fri, 18 Oct 2019 14:36:13 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46vpW02x04z4dph for ; Fri, 18 Oct 2019 14:36:11 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: by mail-qk1-x72a.google.com with SMTP id p4so5490001qkf.5 for ; Fri, 18 Oct 2019 07:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SnLYACLnxzjbP/0TUvih/9JhSOdrU9nCYCpsE2hpihE=; b=Md1eMdGIcVwahTwFgiP7YZqNsj351jntGj+m94ISOpix44BVDwpHYR+iGEiYi3PxyU ejl2L/mS1F7S5og7hFj4ZJxIHFhPOk83YztfT+DmoE5jbJP9v+821dgJzjA6wV3DUDYY NZvIEwbUZiJUgBZTSvxICpi/Hv73RWK8QGXL9iK1z8hOFNrhk2KDVz0hgvMh0vaywVPT CaJOG1rjUZdk6MfSp8mPmmjUi0982TkvDhO5g5STYI3yEdd54l5sUH9NfND6m81AdjXo ZonfsWMI80gBybL3uGv2dRash8VdBJ6+yX4k3irP2zi07lmEDuOp4y/TyAeBgh0TXwRH 1jkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SnLYACLnxzjbP/0TUvih/9JhSOdrU9nCYCpsE2hpihE=; b=FUNzj3fM+cYpnlEGq1xdRgWeL+J3J2614K1SL8+XyZVcaGL5WtrdC77k8qQJwwnfLt qkpmxFQa/YWnTpjp0k8WtUar5gZgz3rd9EgmW2cUNloCyU/fY2sUV6+rd6ZHja/p1itL fRa83THubcRVUROrWyVwKBNiRq4LCy6Y4NqqCWRXsaFZCXzBFcK5v82zqTwNIZhXSlsY asjlmFivvbnO1K2NQ/3zIslfpogtkK40Dm//cmd72PAPckbglQ7tTy9OIPv4CoQmvxEm t2lOYAl11xY5p7o6cB6rlv7DCPbo1ztF4no77Nu6EDfoPyDM1jqnh091tt2P0zA1lBFw r0lQ== X-Gm-Message-State: APjAAAV3o/5a8dFYkOH0eczmrJ8JvXUMHc+48j4F90Ly4LCUEKlte+/b GfODjduy/6BwOU7ljSIO9RM= X-Google-Smtp-Source: APXvYqzFqu8Wu87A0PRK8UTrIeh3Z0whxD/1QQ6cxHB70sznrUM9cvaSBsOnVkatIMiGDIabeLo26A== X-Received: by 2002:a37:8707:: with SMTP id j7mr8967329qkd.399.1571409370887; Fri, 18 Oct 2019 07:36:10 -0700 (PDT) Received: from [10.100.20.3] ([68.183.62.201]) by smtp.gmail.com with ESMTPSA id i185sm3124000qke.83.2019.10.18.07.36.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Oct 2019 07:36:10 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: SSH error messages (bug id=234793) ) RELENG_12 From: Matt Garber In-Reply-To: <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com> Date: Fri, 18 Oct 2019 10:36:09 -0400 Cc: freebsd-stable@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net> <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 46vpW02x04z4dph X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Md1eMdGI; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of mattgarber@gmail.com designates 2607:f8b0:4864:20::72a as permitted sender) smtp.mailfrom=mattgarber@gmail.com X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.36), ipnet: 2607:f8b0::/32(-2.46), asn: 15169(-2.09), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[a.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2019 14:36:13 -0000 >=20 >> Does anyone know what the cause is of this fail message ? >>=20 >> (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234793) >>=20 >> its triggered by a normal ssh key'd login, but sshd is running with >> VERBOSE logging.=20 >>=20 >> sshd[63290]: Failed unknown for testuser1 from 192.168.xx.yyy port >> 60643 ssh2 ? >>=20 >> The user is able to login no problem, but the error message is = bubbling >> up in our HIDS. We had to white list it, but it would be useful to >> understand exactly why and what is failing. >>=20 >> =E2=80=94Mike >=20 > It=E2=80=99s one of the other SSH authentication types (e.g., GSSAPI, = password, etc.) which is in the processing order before public key. = I=E2=80=99m assuming you=E2=80=99re seeing that =E2=80=98failure=E2=80=99 = immediately before your successful key authentication in auth.log; I = actually had to switch back to INFO for logging because that = =E2=80=98failure=E2=80=99 trips up sshguard which kicks in and blocks = the IP despite the public key auth succeeding right after whichever = other auth type is tried and fails. >=20 > (Unfortunately, I wasn=E2=80=99t able to determine which specific = other authentication type was being tried first, since moving logging = back to INFO resolved my immediate issue of getting blocked by sshguard = before successfully processing my key.) I=E2=80=99d also like to point out that whatever authentication method = is now being tried first was a change from 11.3-RELEASE, as I didn=E2=80=99= t encounter that ordering issue in my VERBOSE logs triggering sshguard = until after upgrading to 12.0-RELEASE. I always have password auth = disabled (only use public keys), but also tried explicit disable = statements for GSSAPI and the several other auth types I could think of, = but unfortunately wasn=E2=80=99t able to determine which auth type that = log line corresponded to. It could also be an auth type that was = previously used, but sshd in 12.0-RELEASE re-ordered the processing = sequence to try it before public keys. Thanks, -- Matt Garber