Bug 1468

Summary: sshd does not log failed attempts using key-based authentication only
Product: Portable OpenSSH Reporter: Andrew Daviel <advax>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: security CC: djm, haeckse
Priority: P2    
Version: 5.3p1   
Hardware: ix86   
OS: Linux   

Description Andrew Daviel 2008-05-22 18:26:23 AEST 
When testing the Debian SSH exploit against SSH-2.0-OpenSSH_4.1p1-hpn
I noticed that sshd did not log key failures, only password failures.

I just built SSH-2.0-OpenSSH_5.0 on Fedora Core 4 with no configure options (./configure; make) and again there is no logging

$ ./ssh -p 8022 -o PasswordAuthentication=no -i badkey localhost
Permission denied (publickey,password).
  - no log entry

$ ./ssh -p 8022 -o PasswordAuthentication=no -i goodkey localhost
  - login successful
  - syslog entry: sshd[6987]: Accepted publickey for andrew from
    127.0.0.1 port 39492 ssh2

The Debian exploit tries an average of 32,000 keys with no evidence in
syslog apart from an entry on success.
Comment 1 Damien Miller 2008-05-23 03:31:42 AEST 
Setting Loglevel=verbose in sshd_config will show failed pubkey authentication attempts.
Comment 2 Andrew Daviel 2008-05-23 04:08:53 AEST 
Thank you; that works.

However, this setting is not the default and the manpage
(sshd_config.5) does not document this feature.

With "Loglevel=verbose" :

SSH-2.0-OpenSSH_5.0
sshd[28336]: Connection from 127.0.0.1 port 35709
sshd[28336]: Failed none for andrew from 127.0.0.1 port 35709 ssh2
sshd[28336]: Failed publickey for andrew from 127.0.0.1 port 35709 ssh2

This is acceptable

Older versions do not give as much detail

SSH-2.0-OpenSSH_4.2
sshd[3927]: Connection from a.b.c.d port 48465
sshd[26716]: Failed none for andrew from a.b.c.d port 53023 ssh2

SSH-1.99-OpenSSH_3.5p1
sshd[3927]: Connection from a.b.c.d port 48465
Comment 3 Damien Miller 2008-07-22 12:24:40 AEST 
Mass update RESOLVED->CLOSED after release of openssh-5.1
Comment 4 haeckse 2010-02-18 04:28:26 AEDT 
In version 5.3p1 (and 5.1p1) neither setting the loglevel to verbose nor debug results in a log-message warning of failed publickey attempts. 

The loglevel info shows nothing at all.

Loglevel verbose only shows this:
Connection from 127.0.0.1 port 48464
Comment 5 Damien Miller 2010-02-19 05:40:46 AEDT 
It does work, but you probably don't have your syslogd listening in the right place: /var/empty/dev/log (might be different depending on what you set --with-privsep-path to when you were building sshd).
Comment 6 Damien Miller 2010-04-16 15:50:14 AEST 
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1