SSHD logs confusion

To: netbsd-users%NetBSD.org@localhost
Subject: SSHD logs confusion
From: Mike Knox <mike%dendroaspis.co.uk@localhost>
Date: Tue, 10 Sep 2013 22:32:33 +0100

Hello,

I am not sure if its a bug, or if the bug lies in my config...
 
Viewing the authlog on a 6.1_STABLE box, (amd64, GENERIC,
OpenSSH_6.2p1), I see the usual ssh bruteforce attempts , however it
looks like they are bypassing pubkey only auth and using password auth:-

....
Sep 10 13:29:42 darkstar sshd[1765]: Invalid user ftp from <omitted>
Sep 10 13:29:42 darkstar sshd[1765]: input_userauth_request: invalid
user ftp
Sep 10 13:29:42 darkstar sshd[1765]: Failed password for invalid user
ftp from <omitted> port 54808 ssh2
Sep 10 13:29:43 darkstar sshd[1765]: error: Received disconnect from
<omitted>: 11: Bye Bye
....
Sep 10 17:59:15 darkstar sshd[2288]: Connection from <omitted> port 56298
Sep 10 17:59:16 darkstar sshd[2288]: Invalid user cron from <omitted>
Sep 10 17:59:16 darkstar sshd[2288]: input_userauth_request: invalid
user cron
Sep 10 17:59:16 darkstar sshd[2288]: Failed password for invalid user
cron from <omitted> port 56298 ssh2
Sep 10 17:59:16 darkstar sshd[2288]: error: Received disconnect from
<omitted>: 11: Bye Bye
Sep 10 17:59:16 darkstar sshd[14149]: Connection from <omitted> port 56419
Sep 10 17:59:17 darkstar sshd[14149]: Failed password for root from
<omitted> port 56419 ssh2
Sep 10 17:59:17 darkstar sshd[14149]: error: Received disconnect from
<omitted>: 11: Bye Bye
Sep 10 17:59:17 darkstar sshd[21692]: Connection from <omitted> port 56553
Sep 10 17:59:18 darkstar sshd[21692]: Failed password for root from
<omitted> port 56553 ssh2
Sep 10 17:59:18 darkstar sshd[21692]: error: Received disconnect from
<omitted>: 11: Bye Bye


When I connect with pubkey, I get the following as expected:-

Sep 10 20:57:59 darkstar sshd[5242]: Connection from <omitted> port 47627
Sep 10 20:57:59 darkstar sshd[5242]: Failed none for <my_user_name> from
<omitted> port 47627 ssh2
Sep 10 20:58:05 darkstar sshd[5242]: Found matching RSA key:
<XX:XX:XX:XX:XX:XX:XX>
Sep 10 20:58:05 darkstar sshd[5242]: Accepted publickey for
<my_user_name> from <omitted> port 47627 ssh2


So, thinking that there is something wrong with my config, I try and
force password auth with to try and reproduce the log :-

ssh -o PreferredAuthentications=keyboard-interactive -o
PubKeyAuthentication=n root@<hostname>
and ssh -o PreferredAuthentications=password -o PubKeyAuthentication=n
root@<hostname>

but the log  shows (correctly)

Sep 10 22:04:06 darkstar sshd[8948]: Failed none for root from <omitted>
port 48465 ssh2
Sep 10 22:04:06 darkstar sshd[8948]: Connection closed by <omitted>


sshd.conf has these set :-

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

The config is pretty much identical to how it was on FreeBSD.  I am
stumped as to what exactly is happening.  ??

Cheers, Mike

Prev by Date: Re: Poor SSD write performance (new install)
Next by Date: Re: Poor SSD write performance (new install)
Previous by Thread: Poor SSD write performance (new install)
Next by Thread: NetBSD on Intel's NUC (Next Unit of Computing) boxes
Indexes:

Home | Main Index | Thread Index | Old Index