Bug 2245

Summary: Multiple USER_LOGIN messages when linux audit support is enabled on bad login
Product: Portable OpenSSH Reporter: Laurent Bigonville <bigon>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: normal CC: plautrba
Priority: P5    
Version: 6.6p1   
Hardware: Other   
OS: Linux   
Attachments:
Description Flags
remove unnecessary audit events
none
don't use (invalid user) none

Description Laurent Bigonville 2014-06-13 07:33:16 AEST 
Hi,

Whit the current code in 6.6p1, the linux auditing code is generating multiples USER_LOGIN when either an unknown user or a wrong password of an existing user is used.

With an unknown user, I get the following:

type=USER_LOGIN msg=audit(1402608427.317:143): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608427.317:144): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608429.761:146): pid=6544 uid=0 auid=1000 ses=3 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'

With an existing user and a wrong password, I get:

type=USER_LOGIN msg=audit(1402608698.581:159): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:160): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608698.581:161): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'
type=USER_LOGIN msg=audit(1402608701.089:163): pid=6567 uid=0 auid=1000 ses=3 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=sshd res=failed'


This is confusing tools like aulast (--bad) as it's displaying several login attempts instead of just one
Comment 1 Laurent Bigonville 2014-06-13 07:40:01 AEST 
BTW, I'm not seeing this with the patched version in Fedora
Comment 2 Laurent Bigonville 2014-06-13 08:34:56 AEST 
Correction on Fedora, with an unknown user, I'm getting 2 messages when using an unknown user (not sure this is actually expected)


The 1st one immediately on connection

type=USER_LOGIN msg=audit(1402612040.555:407): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed'

The 2nd when the connection is closed (ctrl-c on the client side)

type=USER_LOGIN msg=audit(1402612042.009:412): pid=1980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed'


But I can confirm that with an existing user and a wrong password, I'm only seeing one message at the end of the connection (either reached the number of max retry or by closing the connection)
Comment 3 Petr Lautrbach 2014-11-05 01:01:41 AEDT 
Created attachment 2501 [details]
remove unnecessary audit events

The AUDIT_USER_LOGIN event should be sent only 1 time and it is the summary decision of all the authentication/account attempts.
Comment 4 Petr Lautrbach 2014-11-05 01:19:21 AEDT 
Created attachment 2502 [details]
don't use (invalid user)

I also find using '(invalid user)' confusing. It's used in two cases - an user is unknown - getpwnamallow(user) returns NULL - or service is not set to 'ssh-connetion'.

The first case is quite common and I think an account in event should be marked '(unknown user)' instead of invalid which could be confusing for an auditor.

For the second case, it might be worth to split Authctxt.valid to Authctxt.valid_user and  Authctxt.valid_service to better distinguish ehse two case.