When testing the Debian SSH exploit against SSH-2.0-OpenSSH_4.1p1-hpn I noticed that sshd did not log key failures, only password failures. I just built SSH-2.0-OpenSSH_5.0 on Fedora Core 4 with no configure options (./configure; make) and again there is no logging $ ./ssh -p 8022 -o PasswordAuthentication=no -i badkey localhost Permission denied (publickey,password). - no log entry $ ./ssh -p 8022 -o PasswordAuthentication=no -i goodkey localhost - login successful - syslog entry: sshd[6987]: Accepted publickey for andrew from 127.0.0.1 port 39492 ssh2 The Debian exploit tries an average of 32,000 keys with no evidence in syslog apart from an entry on success.
Setting Loglevel=verbose in sshd_config will show failed pubkey authentication attempts.
Thank you; that works. However, this setting is not the default and the manpage (sshd_config.5) does not document this feature. With "Loglevel=verbose" : SSH-2.0-OpenSSH_5.0 sshd[28336]: Connection from 127.0.0.1 port 35709 sshd[28336]: Failed none for andrew from 127.0.0.1 port 35709 ssh2 sshd[28336]: Failed publickey for andrew from 127.0.0.1 port 35709 ssh2 This is acceptable Older versions do not give as much detail SSH-2.0-OpenSSH_4.2 sshd[3927]: Connection from a.b.c.d port 48465 sshd[26716]: Failed none for andrew from a.b.c.d port 53023 ssh2 SSH-1.99-OpenSSH_3.5p1 sshd[3927]: Connection from a.b.c.d port 48465
Mass update RESOLVED->CLOSED after release of openssh-5.1
In version 5.3p1 (and 5.1p1) neither setting the loglevel to verbose nor debug results in a log-message warning of failed publickey attempts. The loglevel info shows nothing at all. Loglevel verbose only shows this: Connection from 127.0.0.1 port 48464
It does work, but you probably don't have your syslogd listening in the right place: /var/empty/dev/log (might be different depending on what you set --with-privsep-path to when you were building sshd).
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1