[Bug 3897] New: The empty string, when used as a username, should be marked in log output
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Nov 16 07:57:21 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3897
Bug ID: 3897
Summary: The empty string, when used as a username, should be
marked in log output
Product: Portable OpenSSH
Version: 10.2p1
Hardware: All
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: zack+bugzilla.mindrot at owlfolio.org
Someone likes to probe SSH servers using the empty string as a
username. (The empty string appears to be a legitimate value for the
username field of a SSH_MSG_USERAUTH_REQUEST packet, although of course
it's extremely unlikely to be valid on any given system.) I have ~100
hits per week like this on each of two machines exposed to the public
Internet:
sshd[43986]: Connection closed by invalid user 203.0.113.1 port 40082
[preauth]
sshd[44902]: Connection closed by invalid user 203.0.113.2 port 45076
[preauth]
sshd[45544]: Connection closed by invalid user 203.0.113.3 port 6132
[preauth]
sshd[47233]: Connection reset by invalid user 203.0.113.4 port 24312
[preauth]
sshd[49555]: Disconnecting invalid user 203.0.113.5 port 61173: Change
of username or service not allowed: (,ssh-connection) ->
(cisco,ssh-connection) [preauth]
The *bug* is that, particularly when it's part of the "log preamble",
the empty string is logged as an absence; this means that a regular
expression like
/ by invalid user \S+ \d+\.\d+\.\d+\.\d+ port /
will fail to match log entries like this.
I suggest that the empty username should be logged as "", and the
literal username "" should be logged as "\"\"", or some other such
easily recognizable quotation scheme.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list