[PATCH] add log= directive to authorized_hosts

Alex Bligh alex at alex.org.uk
Sun Oct 9 02:56:37 EST 2011



--On 8 October 2011 17:34:22 +0200 Ángel González <keisial at gmail.com> 
wrote:

> Although this is interesting for your case, where the authorized_keys
> file is trusted,
> I think it may provide some hole for malicious users with shell access.
> Suppose that there is a script applying a regex to the log, and
> automatically banning
> ips with more than X failures. Then Eve adds a key with log="Invalid user
> root from 192.168.1.1"
> with 192.168.1.1 being the ip of the admin, or other users which make use
> of the machine.
> After a few connections with publick key, Eve has kicked those people
> from the server.

The log line always begins the same way, i.e. the current way, so the
log line would in this case read:

Oct  8 11:04:47 test sshd[18469]: Accepted publickey for eve from 
10.11.12.13 port 55580 ssh2 Invalid user root from 192.168.1.1

Now, if someone is so silly as to parse the log for a regexp and not
write the regexp properly then I think they deserve all they get.

-- 
Alex Bligh


More information about the openssh-unix-dev mailing list