113 – input_userauth_request: illegal user ...

Bug 113 - input_userauth_request: illegal user ...

Summary: input_userauth_request: illegal user ...

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 enhancement
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:	V_7_5
	Show dependency tree / graph

Reported:	2002-02-13 11:49 AEDT by Pavel Kankovsky
Modified:	2021-04-23 15:00 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pavel Kankovsky 2002-02-13 11:49:57 AEDT

I think it is pointless to print this message in input_userauth_request()
because invalid users are always be reported by auth_log() in userauth_finish().
It should be demoted to a debugging message.

Comment 1 Damien Miller 2002-02-13 23:02:37 AEDT

What if they disconnect before that?

Comment 2 Pavel Kankovsky 2002-02-15 01:41:24 AEDT

Hmm...well...if clients can prevent sshd from logging a failed authentication
attempt then we have a much wider and much more serious problem and
"input_userauth_request: illegal user ..." does not solve it--what if the
username was valid? what if the client connected using protocol 1?

Comment 3 Damien Miller 2002-04-17 12:45:27 AEST

Such failures get logged anyway:

Apr 17 12:45:33 xenon sshd(pam_unix)[21188]: authentication failure; logname=
uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost.localdomain  user=root
Apr 17 12:45:35 xenon sshd[21188]: Failed password for root from 127.0.0.1 port
34002

Comment 4 Pavel Kankovsky 2002-04-18 22:40:45 AEST

With all due respect, you should re-read the original report. :) If "such
failures get logged anyway" (*) then that annoying and redundant
log("input_userauth_request: illegal user %s", user) can really go away (or be
reduced to a debugging message).

(*) Well, whether pam_unix logs them depends on whether the particular
implementation of pam_unix does it and whether pam_unix is used at all but this
is a completely different question.

Comment 5 Markus Friedl 2002-04-18 22:50:51 AEST

but the username might not get logged.

Comment 6 Markus Friedl 2002-04-18 23:40:00 AEST

hm, permitted users won't get logged in the same case.
not sure whether they should. we could try logging
the username on disconnect. does this make sense?

Comment 7 Pavel Kankovsky 2002-04-19 00:06:24 AEST

Yes, something like "User joedoe disconnected in the middle of
keyboard-interactive authentication." or "Illegal user blahblah
disconnnected..." if the client disconnects during the authentication.

Comment 8 Damien Miller 2017-02-04 10:17:17 AEDT

Resolved in:

commit f1a193464a7b77646f0d0cedc929068e4a413ab4
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 3 23:05:57 2017 +0000

    upstream commit
    
    use ssh_packet_set_log_preamble() to include connection
    username in packet log messages, e.g.
    
    Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]
    
    ok markus@ bz#113
    
    Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15

commit 07edd7e9537ab32aa52abb5fb2a915c350fcf441
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 3 23:03:33 2017 +0000

    upstream commit
    
    add ssh_packet_set_log_preamble() to allow inclusion of a
    preamble string in disconnect messages; ok markus@
    
    Upstream-ID: 34cb41182cd76d414c214ccb01c01707849afead

Comment 9 Damien Miller 2017-02-04 17:14:48 AEDT

btw I removed the log message that was the source of the original complain in the same commit

Comment 10 Damien Miller 2021-04-23 15:00:24 AEST

closing resolved bugs as of 8.6p1 release