com.jcraft.jsch.JSchException: Auth fail
djm at mindrot.org
Thu Sep 15 06:23:44 AEST 2016
On Wed, 14 Sep 2016, Christian Kujau wrote:
> I've come across some messages from sshd (OpenSSH 6.7) in my auth.log that
> I hadn't noticed before:
> sshd: error: Received disconnect from x.x.x.x: 3: \
> com.jcraft.jsch.JSchException: Auth fail [preauth]
> I was kinda puzzled why sshd would emit some JCraft messages and the
> best explanation I found was this Serverfault answer, quoting a snippet
> from packet.c:1965 and adding:
It's logging the reason the client gave for disconnecting.
> > It looks like openssh server passes through the last message from the
> > client in its "Received disconnect" error message, so it appears that
> > this is a zombie login attempt from a botnet that is authored in Java.
> So, while this explains the log message, I'm wondering if there are some
> security implications in "passing messages from the client through the
> server and into the auth.log", i.e. could this be exploited somehow or is
> the function handling these strings in packet.c "strong" enough not to
> pass through or interpret malign strings?
I'm not seeing a problem here. It's logging a string, and we escape any
non-ASCII characters in log.c. If anything it's probably too strict
(wrt escaping valid UTF-8 from logs on systems that support it).
More information about the openssh-unix-dev