*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Version: Ubuntu 8.10 (Intrepid)
Package: openssh-server:
Installed: 1:5.1p1-3ubuntu1
Candidate: 1:5.1p1-3ubuntu1
Version table:
*** 1:5.1p1-3ubuntu1 0
500 http://us.archive.ubuntu.com intrepid/main Packages
100 /var/lib/dpkg/status
What I expected: I expected failed public key authentication attempts to
be logged by default in /var/log/auth.log.
What happened: OpenSSH does not log failed public key authentication
attempts by default ("LogLevel INFO"), however failed attempts using
password authentication are logged, as are attempts to login with an
invalid username.
Fix: Change "LogLevel INFO" to "LogLevel VERBOSE" in /etc/ssh/sshd.conf.
This shouldn't be necessary as failed authentication attempts ought to
be logged by default, especially considering the possibility that users
may be using vulnerable keys generated before the recent openssl patch.
See https://bugzilla.mindrot.org/show_bug.cgi?id=1468 (suggests the bug
has been fixed in OpenSSH 5.1)
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
OpenSSH does not log failed authentication attempts when PublicKey method is
used
https://bugs.launchpad.net/bugs/304598
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
