Bug#429243: passwords stopped working, SSH stopped logging failures!
Package: openssh-server
Version: 1:4.6p1-1
Severity: grave
The openssh-server "unstable" upgrade yesterday made sshd stop logging
failures correcty to syslog. If I successfully log in, then a message
is correctly printed in /var/log/auth.log like these:
Jun 16 09:04:39 ten22 sshd[28070]: Accepted password for brandon from ... port 49393 ssh2
Jun 16 09:07:42 ten22 sshd[28496]: Accepted publickey for brandon from ... port 38827 ssh2
But my many attempts to log in that resulted, on the client end, in
the message:
Permission denied (publickey).
left absolutely *no* trace in the logs! I verified that the SSH
server was indeed answering these connections (and that they weren't
getting routed to the wrong machine or anything) by stopping it,
running it in debug mode (/usr/sbin/sshd -e -f) and then also under
strace(1), and seeing that it was indeed receiving the connection and
responding with a refusal to allow a connection.
Now: why was it refusing to let me log on with a password? Password
logins had been succeeding since the machine was installed long ago;
what had changed? Well, I am not sure whether SSH has changed or my
config files (I will check my backups), but I did find the directive
in /etc/ssh/sshd_config:
PasswordAuthentication no
How did that get there!? And if it were there before, why was SSH
letting me in? I had better check my backups right now, because I
guess that's an important question. [Three minute pause.] Well, how
odd! "PasswordAuthentication no" has been my setting for as long as I
have been keeping backups, and yet SSH always permitted them!
I suppose I had the option turned off because the phrase "cleartext"
in the comment line above it made it sound like something bad. But,
of course, it doesn't really mean "clear text"; the password in fact
is well-protected by the SSH stream encryption.
So: I have no complaint about SSH beginning to honor this option
correctly, since I suppose it should, but it would be nice if the
package had an extremely high-priority warning presented to the user
during pre-installation warning them that this option was to begin
being honored and the user had better adjust their sshd_config file
(if the install script detects that "PasswordAuthentication no" is
set, of course; the warning is irrelevant otherwise.)
Anyway, my real worry here - and the reason I have put "grave" as the
severity level - is that login failures appear to no longer be sent to
syslog, which seems a huge problem in the daemon that is protecting my
system at its most fundamental level. Though, I must admit, it does
still seem to log failures *if* the method is password authentication;
but its not logging public-key-based failures still seems worrisome
enough to warrant immediate attention.
The log format seems to have changed, oddly enough; until the upgrade
it seems to have been saying, upon accepting a password,
May 16 10:28:19 ten22 sshd[11852]: Accepted keyboard-interactive/pam for brandon from ... port 36847 ssh2
but after the upgrade the messages changed to:
Jun 16 09:41:56 ten22 sshd[31175]: Accepted password for brandon from ... port 56485 ssh2
Again, public key failures - when that is the only method available -
result in no logging of the failed attempt.
My sshd_config looked like (before I changed "no" to "yes" as
described above):
------------------------------------------------------------------------
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
------------------------------------------------------------------------
--
Brandon Craig Rhodes brandon@rhodesmill.org http://rhodesmill.org/brandon
Reply to: