com.jcraft.jsch.JSchException: Auth fail

Damien Miller djm at mindrot.org
Thu Sep 15 06:23:44 AEST 2016


On Wed, 14 Sep 2016, Christian Kujau wrote:

> Hi,
> 
> I've come across some messages from sshd (OpenSSH 6.7) in my auth.log that 
> I hadn't noticed before:
> 
>  sshd[32008]: error: Received disconnect from x.x.x.x: 3: \
>      com.jcraft.jsch.JSchException: Auth fail [preauth]
> 
> I was kinda puzzled why sshd would emit some JCraft[0] messages and the 
> best explanation I found was this Serverfault[1] answer, quoting a snippet 
> from packet.c:1965 and adding:

It's logging the reason the client gave for disconnecting.

>  > It looks like openssh server passes through the last message from the 
>  > client in its "Received disconnect" error message, so it appears that 
>  > this is a zombie login attempt from a botnet that is authored in Java.
> 
> So, while this explains the log message, I'm wondering if there are some 
> security implications in "passing messages from the client through the 
> server and into the auth.log", i.e. could this be exploited somehow or is 
> the function handling these strings in packet.c "strong" enough not to 
> pass through or interpret malign strings?

I'm not seeing a problem here. It's logging a string, and we escape any
non-ASCII characters in log.c. If anything it's probably too strict
(wrt escaping valid UTF-8 from logs on systems that support it).

-d


More information about the openssh-unix-dev mailing list