[Bug 2245] New: Multiple USER_LOGIN messages when linux audit support is enabled on bad login
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jun 13 07:33:16 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2245
Bug ID: 2245
Summary: Multiple USER_LOGIN messages when linux audit support
is enabled on bad login
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: l.bigonville at edpnet.be
Hi,
Whit the current code in 6.6p1, the linux auditing code is generating
multiples USER_LOGIN when either an unknown user or a wrong password of
an existing user is used.
With an unknown user, I get the following:
type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28756E6B6E6F776E207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
type=USER_LOGIN msg=audit(1402608429.761:146): pid=6544 uid=0 auid=1000
ses=3 msg='op=login acct=28696E76616C6964207573657229
exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd
res=failed'
With an existing user and a wrong password, I get:
type=USER_LOGIN msg=audit(1402608698.581:159): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:160): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:161): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608701.089:163): pid=6567 uid=0 auid=1000
ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=?
addr=192.168.122.1 terminal=sshd res=failed'
This is confusing tools like aulast (--bad) as it's displaying several
login attempts instead of just one
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list