public key authentication -- log invalid keys

TheGezer openssh-unix-dev at thegeezer.net
Fri Apr 25 22:52:46 EST 2014


Hi guys,
i was wondering if someone could point me in the right direction please.
if someone connects using public keys, but uses the wrong keys to
connect, openssh logs this kind of thing:

Apr 21 23:50:04 [sshd] SSH: Server;Ltype: Version;Remote:
122.169.248.92-49232;Protocol: 2.0;Client: libssh-0.2
Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Kex;Remote:
122.169.248.92-49232;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Version;Remote:
122.169.248.92-51680;Protocol: 2.0;Client: libssh-0.2
Apr 21 23:50:05 [sshd] SSH: Server;Ltype: Kex;Remote:
122.169.248.92-51680;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]

while i appreciate that bruteforcing a public key is significantly more
difficult than a short password, this does make me a little uneasy and
i'd like to be able to feed these bad IP addresses to my firewall.

however, when I correctly ssh to my machines, i get similar entries
Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Version;Remote:
192.168.x.100-55939;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-5ubuntu3
Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Kex;Remote:
192.168.x.100-55939;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
Apr 20 09:16:24 [sshd] SSH: Server;Ltype: Authname;Remote:
192.168.x.100-55939;Name: root [preauth]
Apr 20 09:16:28 [sshd] Accepted keyboard-interactive/pam for root from
192.168.x.100 port 55939 ssh2

i've tried changing LogLevel VERBOSE but it doesn't seem to make any
difference
what i was hoping for is something similar to this:

Apr 24 11:53:47 [sshd] input_userauth_request: invalid user ubuntu [preauth]

but saying "invalid keys" or similar.

any pointers gratefully received,
thanks in advance and especially thanks for openssh !


More information about the openssh-unix-dev mailing list