Bug 1468 - sshd does not log failed attempts using key-based authentication only
Summary: sshd does not log failed attempts using key-based authentication only
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.3p1
Hardware: ix86 Linux
: P2 security
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-22 18:26 AEST by Andrew Daviel
Modified: 2010-04-16 15:50 AEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Daviel 2008-05-22 18:26:23 AEST
When testing the Debian SSH exploit against SSH-2.0-OpenSSH_4.1p1-hpn
I noticed that sshd did not log key failures, only password failures.

I just built SSH-2.0-OpenSSH_5.0 on Fedora Core 4 with no configure options (./configure; make) and again there is no logging

$ ./ssh -p 8022 -o PasswordAuthentication=no -i badkey localhost
Permission denied (publickey,password).
  - no log entry

$ ./ssh -p 8022 -o PasswordAuthentication=no -i goodkey localhost
  - login successful
  - syslog entry: sshd[6987]: Accepted publickey for andrew from
    127.0.0.1 port 39492 ssh2

The Debian exploit tries an average of 32,000 keys with no evidence in
syslog apart from an entry on success.
Comment 1 Damien Miller 2008-05-23 03:31:42 AEST
Setting Loglevel=verbose in sshd_config will show failed pubkey authentication attempts.
Comment 2 Andrew Daviel 2008-05-23 04:08:53 AEST
Thank you; that works.

However, this setting is not the default and the manpage
(sshd_config.5) does not document this feature.

With "Loglevel=verbose" :

SSH-2.0-OpenSSH_5.0
sshd[28336]: Connection from 127.0.0.1 port 35709
sshd[28336]: Failed none for andrew from 127.0.0.1 port 35709 ssh2
sshd[28336]: Failed publickey for andrew from 127.0.0.1 port 35709 ssh2

This is acceptable

Older versions do not give as much detail

SSH-2.0-OpenSSH_4.2
sshd[3927]: Connection from a.b.c.d port 48465
sshd[26716]: Failed none for andrew from a.b.c.d port 53023 ssh2

SSH-1.99-OpenSSH_3.5p1
sshd[3927]: Connection from a.b.c.d port 48465
Comment 3 Damien Miller 2008-07-22 12:24:40 AEST
Mass update RESOLVED->CLOSED after release of openssh-5.1
Comment 4 haeckse 2010-02-18 04:28:26 AEDT
In version 5.3p1 (and 5.1p1) neither setting the loglevel to verbose nor debug results in a log-message warning of failed publickey attempts. 

The loglevel info shows nothing at all.

Loglevel verbose only shows this:
Connection from 127.0.0.1 port 48464
Comment 5 Damien Miller 2010-02-19 05:40:46 AEDT
It does work, but you probably don't have your syslogd listening in the right place: /var/empty/dev/log (might be different depending on what you set --with-privsep-path to when you were building sshd).
Comment 6 Damien Miller 2010-04-16 15:50:14 AEST
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1