[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

On 03/01/12 21:00, Bedwell, Jordon wrote:
> On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik <cheako@mikemestnik.net> wrote:
>> On 03/01/12 18:57, Russell Coker wrote:
>>> On Fri, 2 Mar 2012, Jordon Bedwell <envygeeks@gmail.com> wrote:
>>>>> Run the command below.
>>>>>
>>>>>  grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?
>>>>>
>>>>> If you don't get 1 as output, your sshd is compromised.
>>>> It returned 1, this happens on freshly installed Debian and Ubuntu too
>>>> though, tested it on Ubuntu too.
>>> http://etbe.coker.com.au/2011/12/31/server-cracked/
>>>
>>> If you havd a sshd that is compromised in the same way as one was on one of my
>>> servers then Anibal's command will give an output of 0.
>>>
>>> I don't know what relevance this has to a discussion of OpenSSH logging
>>> though.
>>>
>>> I'd like to have OpenSSH log the email address field from a key that was used
>>> for login so I could see something like "ssh key russell@coker.com.au was used
>>> to login to account rjc" in my logs.
>>>
>> >From what I know that information(the comment on the key) is not vary
>> secure, Joe could put Bob as his comment...
>>
>> However one could so a look-up on the key from a key-server and get the
>> email address that way.  This is assuming that ppl are using there
>> gpg(email) keys for ssh.
> I don't know if the chroot idea is legitimate or not, but i went ahead
> and started a logger in /run/sshd/dev/log and there were still no logs
> for publickey denied, and if this idea was actually for sure true, why
> would it show successful logins in the log and not unsuccessful logins
> in the log?
>
I don't know the details, but I've done this and was then able to track
down my kerberos issues.  Unsuccessful logins might not ever leave the
chroot, they exit there and then.  Successful logins get a return
somehow, likely via a pipe created earlier.

It seams like this isn't working for you.  That's when I start ssh on
another port under an strace...

strace -f sshd -p 222

Plus whatever other options.  Then ssh to port 222 and get the log of
what happens...  This is how I originally discovered where I needed to
place my syslog socket.
Reply to: