Hi,
I typically have logcheck send me anomalous logs. In the last week,
all Debian 10 machines (I know, I know, upgrade needed) started
logging this whenever I logged in from a particular other host by
SSH:
2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]: Postponed publickey
for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2 [preauth]
2024-01-27T07:59:42.017777+00:00 t.example.com sshd[12319]: Accepted publickey
for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2: RSA
SHA256:iC8C78UYVJdr+bsqV1hbtBFuft6KHi0b8i308Zn0C9o
2024-01-27T07:59:42.020718+00:00 t.example.com sshd[12319]:
pam_unix(sshd:session): session opened for user root by (uid=0)
2024-01-27T07:59:42.033599+00:00 t.example.com systemd-logind[1729]: New
session 18604 of user root.
(host names and IPv6 addresses are made up as not relevant here)
As you can see, this login was successful. What I had not seen
before was the line:
2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]:
Postponed publickey for root from 2001:db8:1f1:f0c2::2 port
37032 ssh2 [preauth]
This only happens when I log in as root using a public key, i.e.
ssh -i /path/to/pubkey r...@t.example.com
(though in reality a script doing this, but I can replicate the same
when doing it manually). The "postponed" line doesn't happen when I
log in by key as my own user.
What is actually happening there to cause that line to be logged
then?
Is it possibly something to do with my ssh-agent having another key
that would allow that to work, but it waits to use the key
specified on the ssh command line?
I am not aware of any change made in the last week or two that would
cause this to start happening, although I did reboot the client host
(2001:db8:1f1:f0c2::2 here) in that time frame so possibly my
ssh-agent environment has changed in some way.
Thanks,
]Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
