openssh bugs - May 2008 - [Bug 1468] New: sshd does not log failed attempts using key-based authentication only

https://bugzilla.mindrot.org/show_bug.cgi?id=1468

           Summary: sshd does not log failed attempts using key-based
                    authentication only
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.0p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: advax at triumf.ca


When testing the Debian SSH exploit against SSH-2.0-OpenSSH_4.1p1-hpn
I noticed that sshd did not log key failures, only password failures.

I just built SSH-2.0-OpenSSH_5.0 on Fedora Core 4 with no configure
options (./configure; make) and again there is no logging

$ ./ssh -p 8022 -o PasswordAuthentication=no -i badkey localhost
Permission denied (publickey,password).
  - no log entry

$ ./ssh -p 8022 -o PasswordAuthentication=no -i goodkey localhost
  - login successful
  - syslog entry: sshd[6987]: Accepted publickey for andrew from
    127.0.0.1 port 39492 ssh2

The Debian exploit tries an average of 32,000 keys with no evidence in
syslog apart from an entry on success.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-05-23
03:31:42 ---
Setting Loglevel=verbose in sshd_config will show failed pubkey
authentication attempts.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468





--- Comment #2 from Andrew Daviel <advax at triumf.ca>  2008-05-23
04:08:53 ---
Thank you; that works.

However, this setting is not the default and the manpage
(sshd_config.5) does not document this feature.

With "Loglevel=verbose" :

SSH-2.0-OpenSSH_5.0
sshd[28336]: Connection from 127.0.0.1 port 35709
sshd[28336]: Failed none for andrew from 127.0.0.1 port 35709 ssh2
sshd[28336]: Failed publickey for andrew from 127.0.0.1 port 35709 ssh2

This is acceptable

Older versions do not give as much detail

SSH-2.0-OpenSSH_4.2
sshd[3927]: Connection from a.b.c.d port 48465
sshd[26716]: Failed none for andrew from a.b.c.d port 53023 ssh2

SSH-1.99-OpenSSH_3.5p1
sshd[3927]: Connection from a.b.c.d port 48465

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #3 from Damien Miller <djm at mindrot.org>  2008-07-22
12:24:40 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468

haeckse at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |haeckse at gmail.com
            Version|5.0p1                       |5.3p1
             Status|CLOSED                      |REOPENED
         Resolution|INVALID                     |

--- Comment #4 from haeckse at gmail.com 2010-02-18 04:28:26 EST ---
In version 5.3p1 (and 5.1p1) neither setting the loglevel to verbose
nor debug results in a log-message warning of failed publickey
attempts. 

The loglevel info shows nothing at all.

Loglevel verbose only shows this:
Connection from 127.0.0.1 port 48464

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Damien Miller <djm at mindrot.org> 2010-02-19 05:40:46
EST ---
It does work, but you probably don't have your syslogd listening in the
right place: /var/empty/dev/log (might be different depending on what
you set --with-privsep-path to when you were building sshd).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1468

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> 2010-04-16 15:50:14
EST ---
Mass move of bugs RESOLVED->CLOSED following the release of
openssh-5.5p1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.