sshd logging with key-only authentication

[David Adam]

On Thu, 8 Jul 2010, Glen Barber wrote:

> On 7/8/10 10:24 PM, David Adam wrote:
> > On Thu, 8 Jul 2010, Glen Barber wrote:
> > > What caught my interest is if I attempt to log in from a machine 
> > > where I do not have my key or an incorrect key, I see nothing logged 
> > > in auth.log about a failed login attempt.  If I attempt with an 
> > > invalid username, as expected, I see 'Invalid user ${USER} from 
> > > ${IP}.'
> > > 
> > > I'm more concerned with ssh login failures with valid user names. 
> > > Looking at crypto/openssh/auth.c, allowed_user() returns true if the 
> > > user is not in DenyUsers or DenyGroups, exists in AllowUsers or 
> > > AllowGroups (if it is not empty), and has an executable shell.  I'm 
> > > no C hacker, but superficially it looks like it can never meet a 
> > > condition where the user is valid but the key is invalid to trigger 
> > > a log entry.
> > > 
> > > Is this a bug in openssh, or have I overlooked something in my
> > > configuration?
> > 
> > With LogLevel VERBOSE, you should get entries like
> > sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
> > 
> > Is that what you're after?
> 
> Sort of, but do I really need to set verbose logging to find that valid users
> are used in SSH attacks?  root is an obvious target, which in my scenario is
> not allowed.  I'm concerned about more specific, allowed users.

It's just an example I pulled out of the logs. You won't get that message 
for users listed in DenyUsers, although you will get spaff if the denied 
user attempts password authentication.

To me, verbose SSH logging doesn't seem like too big a burden, 
particularly if coupled with tools like sshit/sshdeny or logwatch. I 
encourage you to experiment; you could even try patching sshd to emit the 
relevant log lines at a lower debug level if you want.

David Adam
UCC Wheel Group
zanchey at ucc.gu.uwa.edu.au