Logging Login Attempts
imorgan at nas.nasa.gov
Fri Oct 8 11:27:44 EST 2010
On Thu, Oct 07, 2010 at 17:47:50 -0500, Perry Wagle wrote:
> I have PasswordAuthentication turned off, and all I get is:
> Oct 7 10:44:02 brainz sshd: Connection from 220.127.116.11 port 50912
> >From a(n anonymized) host that doesn't have the key to login with.
> I do get hundreds or thousands of invalid users though:
> Oct 6 04:13:19 brainz sshd: Invalid user spam from 18.104.22.168
> Maybe your path doesn't get used when you have passwords turned off?
> -- Perry
I have only glanced at the relevant code, but the intent is that it is
called for all authentication methods. That is why one of the arguments
to authlog() is the authentication method.
You should see messages of the form "Failed publickey for invalid user
spam from 22.214.171.124 port ..." Alternatively, you should see
something like "Accepted publickey for blah from ..." for successful
The code is there, and I can verify that it works for both 5.1p1 and
5.6p1. To eliminate any Debian-specific patches that might be
inadvertently interfering, you could build a stock version of 5.3p1 and
More information about the openssh-unix-dev