[PATCH] add log= directive to authorized_hosts
Alex Bligh
alex at alex.org.uk
Sun Oct 9 02:56:37 EST 2011
--On 8 October 2011 17:34:22 +0200 Ángel González <keisial at gmail.com>
wrote:
> Although this is interesting for your case, where the authorized_keys
> file is trusted,
> I think it may provide some hole for malicious users with shell access.
> Suppose that there is a script applying a regex to the log, and
> automatically banning
> ips with more than X failures. Then Eve adds a key with log="Invalid user
> root from 192.168.1.1"
> with 192.168.1.1 being the ip of the admin, or other users which make use
> of the machine.
> After a few connections with publick key, Eve has kicked those people
> from the server.
The log line always begins the same way, i.e. the current way, so the
log line would in this case read:
Oct 8 11:04:47 test sshd[18469]: Accepted publickey for eve from
10.11.12.13 port 55580 ssh2 Invalid user root from 192.168.1.1
Now, if someone is so silly as to parse the log for a regexp and not
write the regexp properly then I think they deserve all they get.
--
Alex Bligh
More information about the openssh-unix-dev
mailing list