From owner-freebsd-stable@freebsd.org Fri Oct 18 14:55:36 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 61B59152F20 for ; Fri, 18 Oct 2019 14:55:36 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46vpxM1TbXz4flM for ; Fri, 18 Oct 2019 14:55:34 +0000 (UTC) (envelope-from matt.garber@gmail.com) Received: by mail-qk1-x732.google.com with SMTP id y189so5555643qkc.3 for ; Fri, 18 Oct 2019 07:55:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=aBYi2lx8JplkJuuVIX+Nd1rVhPGWfspJS79fvacHTFA=; b=GS0nkMTcOZ90SLPAgbQmjR9h5hsfFXBjQo1Cwkc376xPZu5ikYgKf3LUmvAdd5vLJQ WU7dtYJRduXpp31GgRA+SIK0eNM9AZdnKWNxU8325D2A5Ggatl6RfENsxOzxAmaFlYKS 5WcYULa78G/QHE0OqB2wOiVkLTLR0UaXhbsv1OJAGeSd2/kqP3tC+8I6e5cM/eJxJKsI +kDcYDUjuJOcNV2AxrIuD88PDpR+EDcOLpW8UpyQGoIe5AnHDXmDNyNenVMi+G+Y892s Cb2AzbzrMgXr8xcZxDTK8UJRGZEPukRZE3zfxvdNAL2MD3qfV/mkxQI82c+Gw+L56R0t 0A0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=aBYi2lx8JplkJuuVIX+Nd1rVhPGWfspJS79fvacHTFA=; b=BuhrxsopLiK7a320Gu0/zmqzb2LozHgUeFKHGm9hQBNeIbhWT/reEx9UfkKzZ3MSyl TNWUuOryYlzHc2FMScaTKSRE/TeTPMcZBtnTdHubbgRI7h3SxHPE766ZF71qbDUrH9RE wXB7W0WgF/gU31J0plQXKhytOY8V0SAYnMTBhdHKqe7GX9tTTsIF4T0+rnLcRQzuBUek dHI3IoI4OzVT5WPT+S1L+d/d73/zdXNXwEgJC9ksZa54K/uOEan3O/txtV/PW+3X/Up5 a2z3odeujPZUlhycfPNwkITDU0cObowyjY+7yiH3rYVtI0ldE7e1vohmKwaTocBr4aVj AACQ== X-Gm-Message-State: APjAAAVhICw4/CZBU1jYCKpLP1xYyLliT+9CcXDDuBr1xrIzCDozX/Nm btXbYvGeSVitrmbJOfKFJi4= X-Google-Smtp-Source: APXvYqzEGG6NQ7mIEzRkM+7PxC/cVcfCnzuOO43xj8uOtmIHFY/zFf+WrIdZARGUdsMWDyCSsV3TPQ== X-Received: by 2002:a05:620a:74b:: with SMTP id i11mr8905261qki.417.1571410533156; Fri, 18 Oct 2019 07:55:33 -0700 (PDT) Received: from [10.100.20.3] ([68.183.62.201]) by smtp.gmail.com with ESMTPSA id t40sm3742412qta.36.2019.10.18.07.55.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Oct 2019 07:55:32 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: SSH error messages (bug id=234793) ) RELENG_12 From: Matt Garber In-Reply-To: <07bac044-7506-e4a9-9d6a-f89aade926b4@sentex.net> Date: Fri, 18 Oct 2019 10:55:31 -0400 Cc: freebsd-stable@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <63F56530-DA75-425B-9399-6D41DF0B119E@gmail.com> References: <100597e5-4491-f455-d247-59f5374ea6a4@sentex.net> <246561E5-9E57-4CC2-B94C-4CE8C553D972@gmail.com> <07bac044-7506-e4a9-9d6a-f89aade926b4@sentex.net> To: mike tancsa X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 46vpxM1TbXz4flM X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=GS0nkMTc; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of mattgarber@gmail.com designates 2607:f8b0:4864:20::732 as permitted sender) smtp.mailfrom=mattgarber@gmail.com X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-9.45), ipnet: 2607:f8b0::/32(-2.46), asn: 15169(-2.09), country: US(-0.05)]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2.3.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2019 14:55:36 -0000 >>>> Does anyone know what the cause is of this fail message ? >>>>=20 >>>> (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234793) >>>>=20 >>>> its triggered by a normal ssh key'd login, but sshd is running with >>>> VERBOSE logging.=20 >>>>=20 >>>> sshd[63290]: Failed unknown for testuser1 from 192.168.xx.yyy port >>>> 60643 ssh2 ? >>>>=20 >>>> The user is able to login no problem, but the error message is = bubbling >>>> up in our HIDS. We had to white list it, but it would be useful to >>>> understand exactly why and what is failing. >>>>=20 >>>> =E2=80=94Mike >>> It=E2=80=99s one of the other SSH authentication types (e.g., = GSSAPI, password, etc.) which is in the processing order before public = key. I=E2=80=99m assuming you=E2=80=99re seeing that =E2=80=98failure=E2=80= =99 immediately before your successful key authentication in auth.log; I = actually had to switch back to INFO for logging because that = =E2=80=98failure=E2=80=99 trips up sshguard which kicks in and blocks = the IP despite the public key auth succeeding right after whichever = other auth type is tried and fails. >>>=20 >>> (Unfortunately, I wasn=E2=80=99t able to determine which specific = other authentication type was being tried first, since moving logging = back to INFO resolved my immediate issue of getting blocked by sshguard = before successfully processing my key.) >> I=E2=80=99d also like to point out that whatever authentication = method is now being tried first was a change from 11.3-RELEASE, as I = didn=E2=80=99t encounter that ordering issue in my VERBOSE logs = triggering sshguard until after upgrading to 12.0-RELEASE. I always have = password auth disabled (only use public keys), but also tried explicit = disable statements for GSSAPI and the several other auth types I could = think of, but unfortunately wasn=E2=80=99t able to determine which auth = type that log line corresponded to. It could also be an auth type that = was previously used, but sshd in 12.0-RELEASE re-ordered the processing = sequence to try it before public keys. >=20 > If you crank it up to debug3, its even stranger. There are a two = failed > unknowns, and one is after the key'd authentication has been accepted. > The client I am using, (SecureCRT) has only Public Key auth and has > everything else disabled. >=20 > Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1: trying public key file > /home/testuser1/.ssh/authorized_keys > Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug3: mm_request_send = entering: > type 51 > Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1: fd 4 clearing = O_NONBLOCK > Oct 18 10:35:35 ryzen-r12 sshd[63439]: Failed unknown for testuser1 = from > 192.168.43.29 port 63170 ssh2 > Oct 18 10:35:35 ryzen-r12 sshd[63439]: debug1: > /home/testuser1/.ssh/authorized_keys:2: matching key found: RSA > SHA256:xxxxxx I think it must be something that the server is trying even if the = client doesn=E2=80=99t actually send that type, since I also tested with = OpenSSH on the client end (macOS 10.14, OpenSSH_7.9p1, LibreSSL 2.7.3) = only specifying public key authentication =E2=80=93 with all of its = other auth types disabled =E2=80=93 and still had the same problem on my = upgraded 12.0-RELEASE systems. Thanks, -- Matt Garber