[Bug 2415] New: Public key failures are not counted and therefore not logged into syslog
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jun 18 19:37:46 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2415
Bug ID: 2415
Summary: Public key failures are not counted and therefore not
logged into syslog
Product: Portable OpenSSH
Version: 6.8p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Our customer found out that public key failures are not logged and
before turning VERBOSE log level, the only message you see in syslog is
> Jun 17 08:39:12 vm183 sshd[90005]: Connection closed by 10.65.x.x [preauth]
which is different to normal password authentication.
Further code reading led me to function auth_log() in auth.c:286 where
you can see that the other methods than password should be logged only
if you exceed the half of max_authtries option. That makes sense since
many people just throw their public keys everywhere therefore logging
every failure doesn't make sense.
But as I tried to push more keys to switch on this knob on, it appeared
that in this context, authctxt->failures variable is ALWAYS zero for
pubkey authentication! This is caused by the fact, that this log
message is issued only from monitor process, but pubkey failures are
counted ONLY in preauth child's authctxt. I was browsing through the
git history, but I didn't find any moment when it could have been
working (maybe before implementation of privilege separation, when
there was only one authctxt?).
The difference between password authentication and pubkey is, that this
log is called from mm_answer_keyallowed instead of standard cycle
monitor_child_preauth.
Fix is pretty easy, just increment failures value before (or after as
other log calls?) calling the log function in monitor.c, but of course
I want to make sure that I didn't miss something from protocol
specification. But everything looks like prepared for this, except it
doesn't work.
diff --git a/monitor.c b/monitor.c
--- a/monitor.c
+++ b/monitor.c
@@ -1267,6 +1267,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
hostbased_chost = chost;
} else {
/* Log failed attempt */
+ authctxt->failures++;
auth_log(authctxt, 0, 0, auth_method, NULL);
free(blob);
free(cuser);
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list