com.jcraft.jsch.JSchException: Auth fail

Christian Kujau lists at nerdbynature.de
Thu Sep 15 05:05:40 AEST 2016


Hi,

I've come across some messages from sshd (OpenSSH 6.7) in my auth.log that 
I hadn't noticed before:

 sshd[32008]: error: Received disconnect from x.x.x.x: 3: \
     com.jcraft.jsch.JSchException: Auth fail [preauth]

I was kinda puzzled why sshd would emit some JCraft[0] messages and the 
best explanation I found was this Serverfault[1] answer, quoting a snippet 
from packet.c:1965 and adding:

 > It looks like openssh server passes through the last message from the 
 > client in its "Received disconnect" error message, so it appears that 
 > this is a zombie login attempt from a botnet that is authored in Java.

So, while this explains the log message, I'm wondering if there are some 
security implications in "passing messages from the client through the 
server and into the auth.log", i.e. could this be exploited somehow or is 
the function handling these strings in packet.c "strong" enough not to 
pass through or interpret malign strings?

IOW, has this particular function been audited yet?

Thanks,
Christian.

[0] http://www.jcraft.com/jsch/
[1] https://serverfault.com/questions/650303/auth-log-indicates-error-with-jschexception/661616#661616
-- 
BOFH excuse #318:

Your EMAIL is now being delivered by the USPS.


More information about the openssh-unix-dev mailing list