weird ssh auth problem

To: debian-security@lists.debian.org
Subject: weird ssh auth problem
From: Adrian von Bidder <avbidder@fortytwo.ch>
Date: Mon, 27 Dec 2010 11:13:40 +0100
Message-id: <[🔎] 201012271113.40408@sygroup.ch>

Heyho!

[[ cc appreciated.  thanks. ]]

My sshd (squeeze) is logging strange things.  I'm using "Match" in 
sshd_config.

a key based root log in shows:

+++
Dec 27 10:28:29 zopf sshd[3269]: Authentication tried for root with 
correct key but not from a permitted host (host=XX, ip=172.23.XX).
Dec 27 10:28:29 zopf sshd[3269]: Authentication tried for root with 
correct key but not from a permitted host (host=XX, ip=172.23.XX).
Dec 27 10:28:29 zopf sshd[3269]: Accepted publickey for root from 
172.23.XX port 43210 ssh2
Dec 27 10:28:29 zopf sshd[3269]: pam_unix(sshd:session): session opened 
for user root by (uid=0)
+++

and a password based sftp log in as (non-root) user shows:

+++
Dec 27 10:29:13 zopf sshd[3287]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95.XX  user=UU
Dec 27 10:29:13 zopf sshd[3287]: Accepted password for UU from 95.XX 
port 42912 ssh2
Dec 27 10:29:13 zopf sshd[3287]: pam_unix(sshd:session): session opened 
for user UU by (uid=0)
Dec 27 10:29:13 zopf sshd[3289]: subsystem request for sftp
+++

In both cases, I can work just fine.  The 2nd case is quite bad, because
"authentication failure" should usually trigger fail2ban.

I have tried to log in as root withour key or as user with the wrong 
password,
and this has worked so far.  Also, I can't log in as root from a non-
priviledged host, so it seems to be "only" a problem with logging.

My set up has:

part of sshd_config:
+++
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no

Match User UU,VV
    PasswordAuthentication yes
    ForceCommand internal-sftp
    ChrootDirectory %h

# allow administration & dirvish back up
Match Address 172.16.0.0/12
    PermitRootLogin without-password
+++

and the pam stuff:

+++
# grep auth sshd 
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth
# cat common-auth
auth    required                        pam_access.so
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
+++

(I added pam_access to common-auth, rest is squeeze standard)

access.conf has one (non-comment/empty) line:
+++
-:ALL EXCEPT root GG1 GG2:ALL EXCEPT LOCAL
+++

and my user UU is in GG2.

One other oddity:  If I try to log in via ssh without key, from a public 
IP
and with a username that is not UU or VV, nothing is written to syslog 
at 
all.  (which makes using fail2ban pretty much obsolete.)


--
featured link: http://www.pool.ntp.org

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Markus Mueller ist außer Haus.
Next by Date: Re: Bind security announce
Previous by thread: Markus Mueller ist außer Haus.
Next by thread: Re: [SECURITY] [DSA 2138-1] Security update for wordpress
Index(es):
- Date
- Thread