Bypassing allowed_users with PAM in sshd?

To: debian-security@lists.debian.org
Subject: Bypassing allowed_users with PAM in sshd?
From: Marcus Williams <marcus@quintic.co.uk>
Date: Wed, 08 Nov 2006 14:48:56 +0000
Message-id: <[🔎] 4551EE58.5020003@quintic.co.uk>

Hi -

I noticed in logwatch reports today that someone had tried logging in asroot to one of my servers recently. No surprise there as this happensevery day. However I have explicitly set up a set of users inallowed_users and root isnt one of them (I also have AllowRootLogin setto false). Whats strange is that I get a report of:


    Authentication Failures:
       root (xxx.208.3.xxx): 2 Time(s)

in the sshd report in logwatch and a report of:

    xxx.208.3.xxx: 3 times
       root/keyboard-interactive/pam: 2 times
       root/none: 1 time

in the Illegal users report. And yet the number of users being blockedby the allowed users list is being reported as 2 less than it should be.This could be coincidence but I've never seen a report of"root/keyboard-interactive/pam" failures and they happen to be the samenumber that I'm missing.


This is on an up to date (with security apt repos as well) debian sarge.

Anybody got any idea?

Thanks

Marcus

Reply to:

Follow-Ups:
- Re: Bypassing allowed_users with PAM in sshd?
  - From: Hans van Kranenburg <od251@xs4all.nl>

Prev by Date: Re: bind9 security problem?
Next by Date: Re: bind9 security problem?
Previous by thread: Give us a call when you get a chance
Next by thread: Re: Bypassing allowed_users with PAM in sshd?
Index(es):
- Date
- Thread