sshd logging with key-only authentication
David Adam
zanchey at ucc.gu.uwa.edu.au
Fri Jul 9 02:34:57 UTC 2010
On Thu, 8 Jul 2010, Glen Barber wrote:
> I've been seeing quite a bit of ssh bruteforce attacks which appear to be
> dictionary-based. That's fine; I have proper measures in place, such as
> key-only access, bruteforce tables for PF, and so on; though some of the
> attacks are delaying login attempts, bypassing the bruteforce rules, but that
> isn't the reason for this post.
>
> What caught my interest is if I attempt to log in from a machine where I do
> not have my key or an incorrect key, I see nothing logged in auth.log about a
> failed login attempt. If I attempt with an invalid username, as expected, I
> see 'Invalid user ${USER} from ${IP}.'
>
> I'm more concerned with ssh login failures with valid user names. Looking at
> crypto/openssh/auth.c, allowed_user() returns true if the user is not in
> DenyUsers or DenyGroups, exists in AllowUsers or AllowGroups (if it is not
> empty), and has an executable shell. I'm no C hacker, but superficially it
> looks like it can never meet a condition where the user is valid but the key
> is invalid to trigger a log entry.
>
> Is this a bug in openssh, or have I overlooked something in my configuration?
With LogLevel VERBOSE, you should get entries like
sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
Is that what you're after?
David Adam
zanchey at ucc.gu.uwa.edu.au
More information about the freebsd-stable
mailing list