reverse mapping check; authentication methods

Pekka Savola pekkas at netcore.fi
Wed Aug 29 19:04:33 EST 2007 

Hello all,

My logs get filled with bogus SSH connection attemps which I'd expect 
should have been denied without logging, so a couple of observations. 
Syslog has lots of entries like:

Aug 29 02:23:31 otso sshd[21000]: reverse mapping checking getaddrinfo for
powered.by.e-leven.be [78.110.207.104] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 29 02:23:31 otso sshd[21000]: Invalid user upload from 78.110.207.104

and these also show as multiple 'lastb' entries in btmp:

upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
upload   ssh:notty    78.110.207.104   Wed Aug 29 02:23 - 02:23  (00:00)
...

This is a bit unexpected for two reasons: AllowUsers directive exists 
and these users aren't listed there, and PasswordAuthentication is 
disabled for them [1].  Yet they clutter the logs.

Looking at the code, it seems that the getaddrinfo failures don't seem 
to result in the connection being rejected, even though the man page 
would seem to indicate so[2] though is not explicit about it.  It also 
seems that the possible authentication methods are only checked 
(do_authloop in SSH1) after it has been verified whether the user 
exists (causing these log messages).  Likewise, in auth.c getpwnam() 
is executed for the attempted user even if the user is not listed in 
AllowUsers.

Would it make sense to check the usernames and hosts later, avoiding 
unnecessary log clutter?  Or is all of this intentional and due to 
trying to avoid being able to use SSH to divulge whether a user is 
allowed to log in or not?

[1] config is substantially as follows:
==8<===
Protocol 2,1

AllowUsers foo bar
PasswordAuthentication no

Match Host *.fi
         PasswordAuthentication yes
Match Host 2002:*
         PasswordAuthentication yes
==8<===

[2]
UseDNS Specifies whether sshd(8) should look up the remote host name 
and check that the resolved host name for the remote IP address maps 
back to the very same IP address.  The default is "yes".

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the openssh-unix-dev mailing list