[Bug 2415] New: Public key failures are not counted and therefore not logged into syslog

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jun 18 19:37:46 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2415

            Bug ID: 2415
           Summary: Public key failures are not counted and therefore not
                    logged into syslog
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Our customer found out that public key failures are not logged and
before turning VERBOSE log level, the only message you see in syslog is 
> Jun 17 08:39:12 vm183 sshd[90005]: Connection closed by 10.65.x.x [preauth]

which is different to normal password authentication.

Further code reading led me to function auth_log() in auth.c:286 where
you can see that the other methods than password should be logged only
if you exceed the half of max_authtries option. That makes sense since
many people just throw their public keys everywhere therefore logging
every failure doesn't make sense.

But as I tried to push more keys to switch on this knob on, it appeared
that in this context, authctxt->failures variable is ALWAYS zero for
pubkey authentication! This is caused by the fact, that this log
message is issued only from monitor process, but pubkey failures are
counted ONLY in preauth child's authctxt. I was browsing through the
git history, but I didn't find any moment when it could have been
working (maybe before implementation of privilege separation, when
there was only one authctxt?).

The difference between password authentication and pubkey is, that this
log is called from mm_answer_keyallowed instead of standard cycle
monitor_child_preauth.

Fix is pretty easy, just increment failures value before (or after as
other log calls?) calling the log function in monitor.c, but of course
I want to make sure that I didn't miss something from protocol
specification. But everything looks like prepared for this, except it
doesn't work.

diff --git a/monitor.c b/monitor.c
--- a/monitor.c
+++ b/monitor.c
@@ -1267,6 +1267,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
         hostbased_chost = chost;
     } else {
         /* Log failed attempt */
+        authctxt->failures++;
         auth_log(authctxt, 0, 0, auth_method, NULL);
         free(blob);
         free(cuser);

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list