Alberto Gonzalez Iniesta
2014-Apr-02 16:58 UTC
[Logcheck-devel] Bug#743000: Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication
On Sat, Mar 29, 2014 at 10:53:09PM +0100, philou wrote:> Current regex in i.d.s/ssh doesn't match when using key exchange authentication. > > If not using key exchange authentication, the following log message will be correctly ignored: > > Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from 192.0.2.60 port 20042 ssh2 > > When using key exchange authentication, the following log message will NOT be ignored: > > Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from 192.0.2.60 port 60594 ssh2: RSA e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c >Hi Philippe, Could you tell me which option are you using in order to get the latter message? That way I can reproduce it and fix the rule. Thanks, Alberto -- Alberto Gonzalez Iniesta | Formaci?n, consultor?a y soporte t?cnico mailto/sip: agi at inittab.org | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
Philou
2014-Apr-03 23:19 UTC
[Logcheck-devel] Bug#743000: Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication
Hi Alberto,
You mean, which ssh option ? Default sshd configuration on the
server, it's just that, as i'm using key exchange authentication, some
text is appended at the end of the syslog message ": RSA
e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c", and as such the very
first regex of i.s.d/ssh won't match
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted
(gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased)
for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?$
As a temporary solution, I removed the "$" at the end of the regex, so
that it matches anything that comes after "ssh2". So it works whether
i'm using login/pwd or key exchange authentication.
Truly yours,
Philippe
> Le 2 avr. 2014 ? 18:58, Alberto Gonzalez Iniesta <agi at inittab.org>
a
> ?crit :
>
>> On Sat, Mar 29, 2014 at 10:53:09PM +0100, philou wrote:
>> Current regex in i.d.s/ssh doesn't match when using key exchange
>> authentication.
>>
>> If not using key exchange authentication, the following log message
>> will be correctly ignored:
>>
>> Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from
>> 192.0.2.60 port 20042 ssh2
>>
>> When using key exchange authentication, the following log message
>> will NOT be ignored:
>>
>> Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from
>> 192.0.2.60 port 60594 ssh2: RSA
>> e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c
>
> Hi Philippe,
>
> Could you tell me which option are you using in order to get the
> latter message? That way I can reproduce it and fix the rule.
>
> Thanks,
>
> Alberto
>
> --
> Alberto Gonzalez Iniesta | Formaci?n, consultor?a y soporte t?cnico
> mailto/sip: agi at inittab.org | en GNU/Linux y software libre
> Encrypted mail preferred | http://inittab.com
>
> Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55