[Bug 2245] New: Multiple USER_LOGIN messages when linux audit support is enabled on bad login

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 13 07:33:16 EST 2014 

https://bugzilla.mindrot.org/show_bug.cgi?id=2245

            Bug ID: 2245
           Summary: Multiple USER_LOGIN messages when linux audit support
                    is enabled on bad login
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: l.bigonville at edpnet.be

Hi,

Whit the current code in 6.6p1, the linux auditing code is generating
multiples USER_LOGIN when either an unknown user or a wrong password of
an existing user is used.

With an unknown user, I get the following:

type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28756E6B6E6F776E207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608429.761:146): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'

With an existing user and a wrong password, I get:

type=USER_LOGIN msg=audit(1402608698.581:159): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:160): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:161): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608701.089:163): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'


This is confusing tools like aulast (--bad) as it's displaying several
login attempts instead of just one

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list