From owner-freebsd-stable@freebsd.org  Fri Oct 18 14:44:42 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 18473152B80
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Fri, 18 Oct 2019 14:44:42 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from pyroxene2a.sentex.ca (unknown [IPv6:2607:f3e0:0:3::19])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "pyroxene2.sentex.ca", Issuer "pyroxene2.sentex.ca" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46vphn18C0z4fFy
 for <freebsd-stable@freebsd.org>; Fri, 18 Oct 2019 14:44:41 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from [192.168.43.29] ([192.168.43.29])
 by pyroxene2a.sentex.ca (8.15.2/8.15.2) with ESMTPS id x9IEieQr045164
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Fri, 18 Oct 2019 10:44:40 -0400 (EDT) (envelope-from mike@sentex.net)
Subject: Re: SSH error messages (bug id=234793) ) RELENG_12
To: Matt Garber <matt.garber@gmail.com>
Cc: freebsd-stable@freebsd.org
References: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net>
 <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com>
 <D0CEE83C-5885-4043-877E-0F388CB90CF2@gmail.com>
From: mike tancsa <mike@sentex.net>
Openpgp: preference=signencrypt
Autocrypt: addr=mike@sentex.net; keydata=
 mQENBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP
 xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s
 +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW
 yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH
 VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB
 AAG0HW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+iQFUBBMBCAA+FiEEmuvCXT0aY6hs
 4SbWeVOEFl5WrMgFAlywzOYCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
 eVOEFl5WrMhnPAf7Bf+ola0V9t4i8rwCMGvzkssGaxY/5zNSZO9BgSgfN0WzgmBEOy/3R4km
 Yn5KH94NltJYAAE5hqkFmAwK6psOqAR9cxHrRfU+gV2KO8pCDc6K/htkQcd/mclJYpCHp6Eq
 EVJOiAxcNaYuHZkeMdXDuvvI5Rk82VHk84BGgxIqIrhLlkguoPbXOOa+8c/Mpb1sRAGZEOuX
 EzKNC49+GS9gKW6ISbanyPsGEcFyP7GKMzcHBPf3cPrewZQZ6gBoNscasL6IJeAQDqzQAxbU
 GjO0qBSMRgnLXK7+DJlxrYdHGXqNbV6AYsmHJ6c2WWWiuRviFBqXinlgJ2FnYebZPAfWibkB
 DQRcsMzkAQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4
 axtKRSG1t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1
 qzAJweEtRdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6c
 Lm0EiHPOl5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5
 o9KKu4O7gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQAB
 iQE8BBgBCAAmFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAlywzOQCGwwFCQHhM4AACgkQeVOE
 Fl5WrMhmjQf/dBCjAVn1J0GzSsHiLvSAQz1cchbdy8LD0Tnpzjgp5KLU7sNojbI8vqt4yKAi
 cayI88j8+xxNXPMWM4pHELuUuVHS5XTpHa/wwulUtI5w/zyKlUDsIvqTPZLUEwH7DfNBueVM
 WyNaIjV2kxSmM8rNMC+RkgyfbjGLCkmWsMRVuLIUYpl5D9WHmenUbiErlKU2KvEEXEg/aLKq
 3m/AdM9RAYsP9O4l+sAZEfyYoNJzDhTZMzn/9Q0uFPLK9smDQh4WBTFaApveVJPHRKmHPoNF
 Xxj+yScYdQ4SKH34WnhNSELvnZQ3ulH5tpASmm0w+GxfZqSc8+QCwoKtBRDUxoE56A==
Message-ID: <07bac044-7506-e4a9-9d6a-f89aade926b4@sentex.net>
Date: Fri, 18 Oct 2019 10:44:40 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <D0CEE83C-5885-4043-877E-0F388CB90CF2@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 46vphn18C0z4fFy
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates
 2607:f3e0:0:3::19 as permitted sender) smtp.mailfrom=mike@sentex.net
X-Spamd-Result: default: False [0.78 / 15.00]; ARC_NA(0.00)[];
 RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net];
 HFILTER_HELO_IP_A(1.00)[pyroxene2a.sentex.ca];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
 HFILTER_HELO_NORES_A_OR_MX(0.30)[pyroxene2a.sentex.ca];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.93), asn: 11647(-3.56), country:
 CA(-0.09)]; FREEMAIL_TO(0.00)[gmail.com];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA];
 HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2019 14:44:42 -0000

On 10/18/2019 10:36 AM, Matt Garber wrote:
>>> Does anyone know what the cause is of this fail message ?
>>>
>>> (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234793)
>>>
>>> its triggered by a normal ssh key'd login, but sshd is running with
>>> VERBOSE logging. 
>>>
>>> sshd[63290]: Failed unknown for testuser1 from 192.168.xx.yyy port
>>> 60643 ssh2 ?
>>>
>>> The user is able to login no problem, but the error message is bubbling
>>> up in our HIDS. We had to white list it, but it would be useful to
>>> understand exactly why and what is failing.
>>>
>>>    —Mike
>> It’s one of the other SSH authentication types (e.g., GSSAPI, password, etc.) which is in the processing order before public key. I’m assuming you’re seeing that ‘failure’ immediately before your successful key authentication in auth.log; I actually had to switch back to INFO for logging because that ‘failure’ trips up sshguard which kicks in and blocks the IP despite the public key auth succeeding right after whichever other auth type is tried and fails.
>>
>> (Unfortunately, I wasn’t able to determine which specific other authentication type was being tried first, since moving logging back to INFO resolved my immediate issue of getting blocked by sshguard before successfully processing my key.)
> I’d also like to point out that whatever authentication method is now being tried first was a change from 11.3-RELEASE, as I didn’t encounter that ordering issue in my VERBOSE logs triggering sshguard until after upgrading to 12.0-RELEASE. I always have password auth disabled (only use public keys), but also tried explicit disable statements for GSSAPI and the several other auth types I could think of, but unfortunately wasn’t able to determine which auth type that log line corresponded to. It could also be an auth type that was previously used, but sshd in 12.0-RELEASE re-ordered the processing sequence to try it before public keys.

If you crank it up to debug3, its even stranger.  There are a two failed
unknowns, and one is after the key'd authentication has been accepted.
The client I am using, (SecureCRT) has only Public Key auth and has
everything else disabled.

Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1: trying public key file
/home/testuser1/.ssh/authorized_keys
Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug3: mm_request_send entering:
type 51
Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1: fd 4 clearing O_NONBLOCK
Oct 18 10:35:35 ryzen-r12 sshd[63439]: Failed unknown for testuser1 from
192.168.43.29 port 63170 ssh2
Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1:
/home/testuser1/.ssh/authorized_keys:2: matching key found: RSA
SHA256:xxxxxx

    ---Mike