Heyho! [[ cc appreciated. thanks. ]] My sshd (squeeze) is logging strange things. I'm using "Match" in sshd_config. a key based root log in shows: +++ Dec 27 10:28:29 zopf sshd: Authentication tried for root with correct key but not from a permitted host (host=XX, ip=172.23.XX). Dec 27 10:28:29 zopf sshd: Authentication tried for root with correct key but not from a permitted host (host=XX, ip=172.23.XX). Dec 27 10:28:29 zopf sshd: Accepted publickey for root from 172.23.XX port 43210 ssh2 Dec 27 10:28:29 zopf sshd: pam_unix(sshd:session): session opened for user root by (uid=0) +++ and a password based sftp log in as (non-root) user shows: +++ Dec 27 10:29:13 zopf sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95.XX user=UU Dec 27 10:29:13 zopf sshd: Accepted password for UU from 95.XX port 42912 ssh2 Dec 27 10:29:13 zopf sshd: pam_unix(sshd:session): session opened for user UU by (uid=0) Dec 27 10:29:13 zopf sshd: subsystem request for sftp +++ In both cases, I can work just fine. The 2nd case is quite bad, because "authentication failure" should usually trigger fail2ban. I have tried to log in as root withour key or as user with the wrong password, and this has worked so far. Also, I can't log in as root from a non- priviledged host, so it seems to be "only" a problem with logging. My set up has: part of sshd_config: +++ PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no Match User UU,VV PasswordAuthentication yes ForceCommand internal-sftp ChrootDirectory %h # allow administration & dirvish back up Match Address 172.16.0.0/12 PermitRootLogin without-password +++ and the pam stuff: +++ # grep auth sshd auth required pam_env.so #  auth required pam_env.so envfile=/etc/default/locale @include common-auth # cat common-auth auth required pam_access.so auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass auth requisite pam_deny.so auth required pam_permit.so +++ (I added pam_access to common-auth, rest is squeeze standard) access.conf has one (non-comment/empty) line: +++ -:ALL EXCEPT root GG1 GG2:ALL EXCEPT LOCAL +++ and my user UU is in GG2. One other oddity: If I try to log in via ssh without key, from a public IP and with a username that is not UU or VV, nothing is written to syslog at all. (which makes using fail2ban pretty much obsolete.) -- featured link: http://www.pool.ntp.org
Description: This is a digitally signed message part.