Date: Fri, 9 Jul 2010 10:24:42 +0800 (WST) From: David Adam <zanchey@ucc.gu.uwa.edu.au> To: Glen Barber <glen.j.barber@gmail.com> Cc: stable@FreeBSD.org Subject: Re: sshd logging with key-only authentication Message-ID: <alpine.DEB.1.10.1007091017040.23399@martello.ucc.gu.uwa.edu.au> In-Reply-To: <4C366257.8040201@gmail.com> References: <4C366257.8040201@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Jul 2010, Glen Barber wrote:
> I've been seeing quite a bit of ssh bruteforce attacks which appear to be
> dictionary-based. That's fine; I have proper measures in place, such as
> key-only access, bruteforce tables for PF, and so on; though some of the
> attacks are delaying login attempts, bypassing the bruteforce rules, but that
> isn't the reason for this post.
>
> What caught my interest is if I attempt to log in from a machine where I do
> not have my key or an incorrect key, I see nothing logged in auth.log about a
> failed login attempt. If I attempt with an invalid username, as expected, I
> see 'Invalid user ${USER} from ${IP}.'
>
> I'm more concerned with ssh login failures with valid user names. Looking at
> crypto/openssh/auth.c, allowed_user() returns true if the user is not in
> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not
> empty), and has an executable shell. I'm no C hacker, but superficially it
> looks like it can never meet a condition where the user is valid but the key
> is invalid to trigger a log entry.
>
> Is this a bug in openssh, or have I overlooked something in my configuration?
With LogLevel VERBOSE, you should get entries like
sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
Is that what you're after?
David Adam
zanchey@ucc.gu.uwa.edu.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.1.10.1007091017040.23399>