Bypassing allowed_users with PAM in sshd?
Hi -
I noticed in logwatch reports today that someone had tried logging in as
root to one of my servers recently. No surprise there as this happens
every day. However I have explicitly set up a set of users in
allowed_users and root isnt one of them (I also have AllowRootLogin set
to false). Whats strange is that I get a report of:
Authentication Failures:
root (xxx.208.3.xxx): 2 Time(s)
in the sshd report in logwatch and a report of:
xxx.208.3.xxx: 3 times
root/keyboard-interactive/pam: 2 times
root/none: 1 time
in the Illegal users report. And yet the number of users being blocked
by the allowed users list is being reported as 2 less than it should be.
This could be coincidence but I've never seen a report of
"root/keyboard-interactive/pam" failures and they happen to be the same
number that I'm missing.
This is on an up to date (with security apt repos as well) debian sarge.
Anybody got any idea?
Thanks
Marcus
Reply to: