sshd logging with key-only authentication

[Glen Barber]

Hi,

I've been seeing quite a bit of ssh bruteforce attacks which appear to 
be dictionary-based.  That's fine; I have proper measures in place, such 
as key-only access, bruteforce tables for PF, and so on; though some of 
the attacks are delaying login attempts, bypassing the bruteforce rules, 
but that isn't the reason for this post.

What caught my interest is if I attempt to log in from a machine where I 
do not have my key or an incorrect key, I see nothing logged in auth.log 
about a failed login attempt.  If I attempt with an invalid username, as 
expected, I see 'Invalid user ${USER} from ${IP}.'

I'm more concerned with ssh login failures with valid user names. 
Looking at crypto/openssh/auth.c, allowed_user() returns true if the 
user is not in DenyUsers or DenyGroups, exists in AllowUsers or 
AllowGroups (if it is not empty), and has an executable shell.  I'm no C 
hacker, but superficially it looks like it can never meet a condition 
where the user is valid but the key is invalid to trigger a log entry.

Is this a bug in openssh, or have I overlooked something in my 
configuration?

Regards,

-- 
Glen Barber