sshd logging with key-only authentication

Glen Barber glen.j.barber at gmail.com
Fri Jul 9 12:19:24 UTC 2010 

On 7/8/10 11:13 PM, David Adam wrote:
> On Thu, 8 Jul 2010, Glen Barber wrote:
>
>> On 7/8/10 10:24 PM, David Adam wrote:
>>> On Thu, 8 Jul 2010, Glen Barber wrote:
>>>> What caught my interest is if I attempt to log in from a machine
>>>> where I do not have my key or an incorrect key, I see nothing logged
>>>> in auth.log about a failed login attempt.  If I attempt with an
>>>> invalid username, as expected, I see 'Invalid user ${USER} from
>>>> ${IP}.'
>>>>
>>>> I'm more concerned with ssh login failures with valid user names.
>>>> Looking at crypto/openssh/auth.c, allowed_user() returns true if the
>>>> user is not in DenyUsers or DenyGroups, exists in AllowUsers or
>>>> AllowGroups (if it is not empty), and has an executable shell.  I'm
>>>> no C hacker, but superficially it looks like it can never meet a
>>>> condition where the user is valid but the key is invalid to trigger
>>>> a log entry.
>>>>
>>>> Is this a bug in openssh, or have I overlooked something in my
>>>> configuration?
>>>
>>> With LogLevel VERBOSE, you should get entries like
>>> sshd[88595]: Failed publickey for root from 130.95.13.18 port 41256 ssh2
>>>
>>> Is that what you're after?
>>
>> Sort of, but do I really need to set verbose logging to find that valid users
>> are used in SSH attacks?  root is an obvious target, which in my scenario is
>> not allowed.  I'm concerned about more specific, allowed users.
>
> It's just an example I pulled out of the logs. You won't get that message
> for users listed in DenyUsers, although you will get spaff if the denied
> user attempts password authentication.
>

Right.  Though, password authentication is not allowed, which brings me 
back to my original point.

> To me, verbose SSH logging doesn't seem like too big a burden,

It does to me, especially if, by default, sshd does not log failed 
logins from valid users.  I believe *that* should be default.

> particularly if coupled with tools like sshit/sshdeny or logwatch. I
> encourage you to experiment; you could even try patching sshd to emit the
> relevant log lines at a lower debug level if you want.
>

I am fully aware of these utilities.  They don't address the real 
problem, however.  Logwatch, in this scenario, is useless unless verbose 
logging is enabled for sshd, which I believe should not be necessary.

Regards,

-- 
Glen Barber

More information about the freebsd-stable mailing list