Russ Allbery
2006-Nov-26 04:40 UTC
[Logcheck-devel] Bug#400426: logcheck-database: ssh gssapi-keyex authentication method
Package: logcheck-database
Version: 1.2.51
Severity: minor
Tags: patch
ssh in etch now supports the gssapi-keyex authentication method, which
produces syslog messages like:
Nov 22 15:39:51 windlord sshd[30504]: Accepted gssapi-keyex for eagle from
171.66.157.13 port 2267 ssh2
Here's the obvious patch to filter these out.
--- /home/eagle/tmp/logcheck-1.2.51/rulefiles/linux/ignore.d.server/ssh
2006-11-13 07:09:23.000000000 -0800
+++ /etc/logcheck/ignore.d.server/ssh 2006-11-25 20:18:57.000000000 -0800
@@ -1,4 +1,4 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted
(gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for
[^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted
(gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam)
for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Postponed
keyboard-interactive(/pam)? for [^[:space:]]+ from [^[:space:]]+ port [0-9]+(
(ssh|ssh2))?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM pam_putenv: delete
non-existent entry; [[:alnum:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Server listening on
[:[:xdigit:].]+ port [[:digit:]]+\.$
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.5.8 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note: