com.jcraft.jsch.JSchException: Auth fail
Christian Kujau
lists at nerdbynature.de
Thu Sep 15 05:05:40 AEST 2016
Hi,
I've come across some messages from sshd (OpenSSH 6.7) in my auth.log that
I hadn't noticed before:
sshd[32008]: error: Received disconnect from x.x.x.x: 3: \
com.jcraft.jsch.JSchException: Auth fail [preauth]
I was kinda puzzled why sshd would emit some JCraft[0] messages and the
best explanation I found was this Serverfault[1] answer, quoting a snippet
from packet.c:1965 and adding:
> It looks like openssh server passes through the last message from the
> client in its "Received disconnect" error message, so it appears that
> this is a zombie login attempt from a botnet that is authored in Java.
So, while this explains the log message, I'm wondering if there are some
security implications in "passing messages from the client through the
server and into the auth.log", i.e. could this be exploited somehow or is
the function handling these strings in packet.c "strong" enough not to
pass through or interpret malign strings?
IOW, has this particular function been audited yet?
Thanks,
Christian.
[0] http://www.jcraft.com/jsch/
[1] https://serverfault.com/questions/650303/auth-log-indicates-error-with-jschexception/661616#661616
--
BOFH excuse #318:
Your EMAIL is now being delivered by the USPS.
More information about the openssh-unix-dev
mailing list