Hi,
I've been seeing quite a bit of ssh bruteforce attacks which appear to
be dictionary-based. That's fine; I have proper measures in place, such
as key-only access, bruteforce tables for PF, and so on; though some of
the attacks are delaying login attempts, bypassing the bruteforce rules,
but that isn't the reason for this post.
What caught my interest is if I attempt to log in from a machine where I
do not have my key or an incorrect key, I see nothing logged in auth.log
about a failed login attempt. If I attempt with an invalid username, as
expected, I see 'Invalid user ${USER} from ${IP}.'
I'm more concerned with ssh login failures with valid user names.
Looking at crypto/openssh/auth.c, allowed_user() returns true if the
user is not in DenyUsers or DenyGroups, exists in AllowUsers or
AllowGroups (if it is not empty), and has an executable shell. I'm no C
hacker, but superficially it looks like it can never meet a condition
where the user is valid but the key is invalid to trigger a log entry.
Is this a bug in openssh, or have I overlooked something in my
configuration?
Regards,
--
Glen Barber
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
