sshd(8) should also log which account is trying a revoked key (was Re: sshd - also log account trying a revoked key)
(Re-phrased for clarity.)
Please also log the user accounts which attempt to use revoked keys.
It would much more easily identify the problem account in question by
listing it on the same line as the offending revoked key in the log,
instead of in a separate log entry as it the case now.
The log entry could be changed to look something
like this:
Oct 21 18:14:14 server sshd[73078]: error: User foo authentication key
RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:14:28 server sshd[73078]: Connection closed by
authenticating user foo 198.51.100.95 port 55644 [preauth]
Currently only the key is logged logged and not the user:
Oct 21 18:07:00 server sshd[79743]: error: Authentication key RSA
SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:07:06 server sshd[79743]: Connection closed by
authenticating user foo 198.51.100.95 port 55634 [preauth]
So I would propose consideration of something approximately like the
changes below.
/Lars
Index: usr.bin/ssh//auth.c
===
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.133
diff -u -p -u -r1.133 auth.c
--- usr.bin/ssh//auth.c 12 Sep 2018 01:19:12 - 1.133
+++ usr.bin/ssh//auth.c 21 Oct 2018 15:27:04 -
@@ -507,7 +507,7 @@ getpwnamallow(const char *user)
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
-auth_key_is_revoked(struct sshkey *key)
+auth_key_is_revoked(struct passwd *pw, struct sshkey *key)
{
char *fp = NULL;
int r;
@@ -526,8 +526,9 @@ auth_key_is_revoked(struct sshkey *key)
case 0:
break; /* not revoked */
case SSH_ERR_KEY_REVOKED:
- error("Authentication key %s %s revoked by file %s",
- sshkey_type(key), fp, options.revoked_keys_file);
+ error("User %s authentication key %s %s revoked by file %s",
+ pw->pw_name, sshkey_type(key), fp,
+ options.revoked_keys_file);
goto out;
default:
error("Error checking authentication key %s %s in "
Index: usr.bin/ssh//auth.h
===
RCS file: /cvs/src/usr.bin/ssh/auth.h,v
retrieving revision 1.96
diff -u -p -u -r1.96 auth.h
--- usr.bin/ssh//auth.h 10 Apr 2018 00:10:49 - 1.96
+++ usr.bin/ssh//auth.h 21 Oct 2018 15:27:04 -
@@ -175,7 +175,7 @@ char*authorized_principals_file(struct
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-int auth_key_is_revoked(struct sshkey *);
+int auth_key_is_revoked(struct passwd *, struct sshkey *);
const char *auth_get_canonical_hostname(struct ssh *, int);
Index: usr.bin/ssh//auth2-hostbased.c
===
RCS file: /cvs/src/usr.bin/ssh/auth2-hostbased.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 auth2-hostbased.c
--- usr.bin/ssh//auth2-hostbased.c 20 Sep 2018 03:28:06 - 1.38
+++ usr.bin/ssh//auth2-hostbased.c 21 Oct 2018 15:27:04 -
@@ -175,7 +175,7 @@ hostbased_key_allowed(struct passwd *pw,
int len;
char *fp;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
Index: usr.bin/ssh//auth2-pubkey.c
===
RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.86
diff -u -p -u -r1.86 auth2-pubkey.c
--- usr.bin/ssh//auth2-pubkey.c 20 Sep 2018 03:28:06 - 1.86
+++ usr.bin/ssh//auth2-pubkey.c 21 Oct 2018 15:27:04 -
@@ -1001,10 +1001,10 @@ user_key_allowed(struct ssh *ssh, struct
if (authoptsp != NULL)
*authoptsp = NULL;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
if (sshkey_is_cert(key) &&
- auth_key_is_revoked(key->cert->signature_key))
+ auth_key_is_revoked(pw, key->cert->signature_key))
return 0;
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
sshd - also log account trying a revoked key
When a revoked key is used in an authentication attempt, only the key
information is currently logged:
Oct 21 18:07:00 server sshd[79743]: error: Authentication key RSA
SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:07:06 server sshd[79743]: Connection closed by
authenticating user foo 198.51.100.95 port 55634 [preauth]
That requires a litte bit of AWK or Perl hackery to identify which
account it was used against. It may also be that theoretically the
log file could roll over at just the instant between writing the line
about the key and writing the second line about the closed connection,
making identification difficult.
It would be of help in both cases to identify the account in question
at the same time that the offending revoked key is identified in the
log:
Oct 21 18:14:14 server sshd[73078]: error: User foo authentication key
RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:14:28 server sshd[73078]: Connection closed by
authenticating user foo 198.51.100.95 port 55644 [preauth]
So I would suggest consideration of something like the changes below.
(Warning for cargo-culted code)
/Lars
Index: usr.bin/ssh//auth.c
===
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.133
diff -u -p -u -r1.133 auth.c
--- usr.bin/ssh//auth.c 12 Sep 2018 01:19:12 - 1.133
+++ usr.bin/ssh//auth.c 21 Oct 2018 15:27:04 -
@@ -507,7 +507,7 @@ getpwnamallow(const char *user)
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
-auth_key_is_revoked(struct sshkey *key)
+auth_key_is_revoked(struct passwd *pw, struct sshkey *key)
{
char *fp = NULL;
int r;
@@ -526,8 +526,9 @@ auth_key_is_revoked(struct sshkey *key)
case 0:
break; /* not revoked */
case SSH_ERR_KEY_REVOKED:
- error("Authentication key %s %s revoked by file %s",
- sshkey_type(key), fp, options.revoked_keys_file);
+ error("User %s authentication key %s %s revoked by file %s",
+ pw->pw_name, sshkey_type(key), fp,
+ options.revoked_keys_file);
goto out;
default:
error("Error checking authentication key %s %s in "
Index: usr.bin/ssh//auth.h
===
RCS file: /cvs/src/usr.bin/ssh/auth.h,v
retrieving revision 1.96
diff -u -p -u -r1.96 auth.h
--- usr.bin/ssh//auth.h 10 Apr 2018 00:10:49 - 1.96
+++ usr.bin/ssh//auth.h 21 Oct 2018 15:27:04 -
@@ -175,7 +175,7 @@ char*authorized_principals_file(struct
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-int auth_key_is_revoked(struct sshkey *);
+int auth_key_is_revoked(struct passwd *, struct sshkey *);
const char *auth_get_canonical_hostname(struct ssh *, int);
Index: usr.bin/ssh//auth2-hostbased.c
===
RCS file: /cvs/src/usr.bin/ssh/auth2-hostbased.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 auth2-hostbased.c
--- usr.bin/ssh//auth2-hostbased.c 20 Sep 2018 03:28:06 - 1.38
+++ usr.bin/ssh//auth2-hostbased.c 21 Oct 2018 15:27:04 -
@@ -175,7 +175,7 @@ hostbased_key_allowed(struct passwd *pw,
int len;
char *fp;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
Index: usr.bin/ssh//auth2-pubkey.c
===
RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.86
diff -u -p -u -r1.86 auth2-pubkey.c
--- usr.bin/ssh//auth2-pubkey.c 20 Sep 2018 03:28:06 - 1.86
+++ usr.bin/ssh//auth2-pubkey.c 21 Oct 2018 15:27:04 -
@@ -1001,10 +1001,10 @@ user_key_allowed(struct ssh *ssh, struct
if (authoptsp != NULL)
*authoptsp = NULL;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
if (sshkey_is_cert(key) &&
- auth_key_is_revoked(key->cert->signature_key))
+ auth_key_is_revoked(pw, key->cert->signature_key))
return 0;
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
Extraneous carriage return in usr.bin/ssh/log.c
I would propose removing what appears to be an unnecessary carriage
return that interferes with debugging output.
/Lars
Index: src/usr.bin/ssh/log.c
===
RCS file: /cvs/src/usr.bin/ssh/log.c,v
retrieving revision 1.50
diff -u -p -u -r1.50 log.c
--- src/usr.bin/ssh/log.c 17 May 2017 01:24:17 - 1.50
+++ src/usr.bin/ssh/log.c 2 Apr 2018 05:21:09 -
@@ -419,7 +419,7 @@ do_log(LogLevel level, const char *fmt,
tmp_handler(level, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
- snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
+ snprintf(msgbuf, sizeof msgbuf, "%.*s\n",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
Re: manpage text width
On 3/31/18, Andras Farkas wrote: > On Fri, Mar 30, 2018 at 11:23 AM, Chris Bennett wrote: >> This is very important. Our brains just are not good at working with >> long lines. This is hard-wired. If anyone doesn't believe me, try >> setting your browser window to a narrower width or use reader mode. >> We read by mapping things out on the line. If it's too long, our brains >> get "confused" and information is lost. > Is there any research backing this up? [snip] Yes and no. The preferences of long or short lines might depend on the individual doing the reading. There is a study which seems highly visible despite the small data set: "No effects of line length were found for comprehension or satisfaction, however, users indicated a strong preference for either the short or long line lengths." >From "The Effects of Line Length on Reading Online News" (2005) (Warning for PDF) http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.503.2885&rep=rep1&type=pdf But there is a generally accepted optimal range allegedly listed in Robert Bringhurst's "The Elements of Typographic Style" : "Anything from 45 to 75 characters is widely-regarded as a satisfactory length of line for a single-column page set in a serifed text face in a text size. The 66-character line (counting both letters and spaces) is widely regarded as ideal." quoted from "The Line Length Misconception" https://www.viget.com/articles/the-line-length-misconception/ /Lars
Re: sshd(8) logging of client disconnect from ClientAliveInterval
Here is a replacement patch.
/Lars
Index: serverloop.c
===
RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
retrieving revision 1.198
diff -u -p -u -r1.198 serverloop.c
--- serverloop.c12 Sep 2017 06:35:32 - 1.198
+++ serverloop.c17 Oct 2017 18:10:13 -
@@ -159,13 +159,24 @@ sigterm_handler(int sig)
}
static void
+fmt_connection_id(struct ssh *ssh, char *s, size_t l)
+{
+ snprintf(s, l, "%.200s%s%s port %d",
+ ssh->log_preamble ? ssh->log_preamble : "",
+ ssh->log_preamble ? " " : "",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+}
+
+static void
client_alive_check(struct ssh *ssh)
{
int channel_id;
+ char remote_id[512];
/* timeout, check to see how many we have had */
if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
- logit("Timeout, client not responding.");
+ fmt_connection_id(ssh, remote_id, sizeof(remote_id));
+ logit("Timeout, client not responding from %s", remote_id);
cleanup_exit(255);
}
@@ -868,3 +879,4 @@ server_init_dispatch(void)
/* rekeying */
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
}
+
Re: sshd(8) logging of client disconnect from ClientAliveInterval
On 10/17/17, Darren Tucker wrote:
[snip]
> probably better to use fmt_connection_id() instead of hand-rolling the
> format.
Ok. I have added fmt_connection_id() to serverloop.c from packet.c
/Lars
Index: src/usr.bin/ssh/serverloop.c
===
RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
retrieving revision 1.198
diff -u -p -u -r1.198 serverloop.c
--- src/usr.bin/ssh/serverloop.c12 Sep 2017 06:35:32 - 1.198
+++ src/usr.bin/ssh/serverloop.c17 Oct 2017 09:57:34 -
@@ -162,10 +162,12 @@ static void
client_alive_check(struct ssh *ssh)
{
int channel_id;
+ char remote_id[512];
/* timeout, check to see how many we have had */
if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
- logit("Timeout, client not responding.");
+ fmt_connection_id(ssh, remote_id, sizeof(remote_id));
+ logit("Timeout, client not responding from %s", remote_id);
cleanup_exit(255);
}
@@ -868,3 +870,12 @@ server_init_dispatch(void)
/* rekeying */
dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
}
+
+fmt_connection_id(struct ssh *ssh, char *s, size_t l)
+{
+ snprintf(s, l, "%.200s%s%s port %d",
+ ssh->log_preamble ? ssh->log_preamble : "",
+ ssh->log_preamble ? " " : "",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+}
+
sshd(8) logging of client disconnect from ClientAliveInterval
sshd(8) used to log connection information when ClientAliveInterval
disconnected an idle client.
It used to look something like this a while back:
Oct 16 14:42:08 eee sshd[83709]: packet_write_poll: Connection from
192.0.2.97
port 57608: Host is down
Now it looks like this:
Oct 16 21:18:56 eee sshd[94170]: Timeout, client not responding.
It would be very useful to have the connection information back again.
Here is a cargo-culted modification that approximates the old style.
/Lars
Index: src/usr.bin/ssh/serverloop.c
===
RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
retrieving revision 1.198
diff -u -p -u -r1.198 serverloop.c
--- src/usr.bin/ssh/serverloop.c12 Sep 2017 06:35:32 - 1.198
+++ src/usr.bin/ssh/serverloop.c16 Oct 2017 18:58:01 -
@@ -165,7 +165,8 @@ client_alive_check(struct ssh *ssh)
/* timeout, check to see how many we have had */
if (packet_inc_alive_timeouts() > options.client_alive_count_max) {
- logit("Timeout, client not responding.");
+ logit("Timeout, client not responding from %s on port %d.",
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh) );
cleanup_exit(255);
}
SyslogFacility in ssh_config(5) could imply logging via syslog(3)
What I am aiming for is a way to be able to set up ssh(1) logging
entirely from within ssh_config(5) without needing additional runtime
options.
Currently SyslogFacility in ssh_config(5) only sets the facility code
but does not actually change the logging to use syslog(3) and so
setting SyslogFacility is only useful in conjuction with the -y
option. If setting SyslogFacility implies -y for ssh(1) then the
whole thing can be set from ssh_config(5), keeping all the adjustments
in one place.
The following illustrates what I am trying to describe.
/Lars
Index: src/usr.bin/ssh/ssh.c
===
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.464
diff -u -p -u -r1.464 ssh.c
--- src/usr.bin/ssh/ssh.c 21 Sep 2017 19:16:53 - 1.464
+++ src/usr.bin/ssh/ssh.c 25 Sep 2017 16:11:29 -
@@ -958,6 +958,8 @@ main(int ac, char **av)
* Initialize "log" output. Since we are the client all output
* goes to stderr unless otherwise specified by -y or -E.
*/
+ if (options.log_facility != SYSLOG_FACILITY_NOT_SET)
+ use_syslog = 1;
if (use_syslog && logfile != NULL)
fatal("Can't specify both -y and -E");
if (logfile != NULL)
Index: src/usr.bin/ssh/ssh_config.5
===
RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.256
diff -u -p -u -r1.256 ssh_config.5
--- src/usr.bin/ssh/ssh_config.521 Sep 2017 19:16:53 - 1.256
+++ src/usr.bin/ssh/ssh_config.525 Sep 2017 16:16:02 -
@@ -1489,6 +1489,9 @@ known hosts will be verified automatical
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr ssh 1 .
+Begins logging using the
+.Xr syslog 3
+system module.
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is USER.
ExposeAuthInfo in sshd_config.5
I would propose the following change, or something similar, to sshd_config.5 It is then more clear which options are accepted and how the directive is used. /Lars Index: src/usr.bin/ssh/sshd_config.5 === RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.252 diff -u -p -u -r1.252 sshd_config.5 --- src/usr.bin/ssh/sshd_config.5 1 Sep 2017 15:41:26 - 1.252 +++ src/usr.bin/ssh/sshd_config.5 25 Sep 2017 12:49:21 - @@ -576,11 +576,17 @@ TCP and StreamLocal. This option overrides all other forwarding-related options and may simplify restricted configurations. .It Cm ExposeAuthInfo -Enables writing a file containing a list of authentication methods and +Writes a temporary file containing a list of authentication methods and public credentials (e.g. keys) used to authenticate the user. The location of the file is exposed to the user session through the .Ev SSH_USER_AUTH environment variable. +The value can be set to +.Cm yes +or +.Cm no . +The default is +.Cm no . .It Cm FingerprintHash Specifies the hash algorithm used when logging key fingerprints. Valid options are:
sshd_config(5) : mention CIDR addressing for AllowUsers and DenyUsers
It looks like sshd(8) has permitted for a while both AllowUsers and DenyUsers in sshd_config(5) to use addresses in CIDR address/masklen format. If so, it would be useful to mention in the manual page. /Lars Index: sshd_config.5 === RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.220 diff -u -p -u -p -r1.220 sshd_config.5 --- sshd_config.5 17 Feb 2016 08:57:34 - 1.220 +++ sshd_config.5 13 Mar 2016 07:10:27 - @@ -173,6 +173,8 @@ By default, login is allowed for all use If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers , @@ -561,6 +563,8 @@ By default, login is allowed for all use If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +HOST criteria may additionally contain addresses to match in CIDR +address/masklen format. The allow/deny directives are processed in the following order: .Cm DenyUsers , .Cm AllowUsers ,
Re: perlre(1) and substitution evaluations
On 11/30/2013 01:52 PM, Marc Espie wrote: > For this kind of thing, you're much better off talking to upstream > as this is totally openbsd-independent. Ok. Thanks. /Lars
Ogg media types in Apache
Below is a diff to add the Ogg media types described in RFC 5334 to -current's Apache's mime-types http://tools.ietf.org/html/rfc5334#section-10 Regards, -Lars # diff /var/www/conf/mime.types /var/www/conf/mime.types.orig 56c56 < application/ogg ogx --- > application/ogg ogg 420d419 < audio/ogg oga ogga spx 584d582 < video/ogg ogv oggv
