[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSH not logging denied public keys, even with logging set to verbose.

On 03/01/12 21:16, Mike Mestnik wrote:
> On 03/01/12 21:00, Bedwell, Jordon wrote:
>> On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik <cheako@mikemestnik.net> wrote:
>>> On 03/01/12 18:57, Russell Coker wrote:
>>>> On Fri, 2 Mar 2012, Jordon Bedwell <envygeeks@gmail.com> wrote:
>>>>>> Run the command below.
>>>>>>
>>>>>>  grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?
>>>>>>
>>>>>> If you don't get 1 as output, your sshd is compromised.
>>>>> It returned 1, this happens on freshly installed Debian and Ubuntu too
>>>>> though, tested it on Ubuntu too.
>>>> http://etbe.coker.com.au/2011/12/31/server-cracked/
>>>>
>>>> If you havd a sshd that is compromised in the same way as one was on one of my
>>>> servers then Anibal's command will give an output of 0.
>>>>
>>>> I don't know what relevance this has to a discussion of OpenSSH logging
>>>> though.
>>>>
>>>> I'd like to have OpenSSH log the email address field from a key that was used
>>>> for login so I could see something like "ssh key russell@coker.com.au was used
>>>> to login to account rjc" in my logs.
>>>>
>>> >From what I know that information(the comment on the key) is not vary
>>> secure, Joe could put Bob as his comment...
>>>
>>> However one could so a look-up on the key from a key-server and get the
>>> email address that way.  This is assuming that ppl are using there
>>> gpg(email) keys for ssh.
>> I don't know if the chroot idea is legitimate or not, but i went ahead
>> and started a logger in /run/sshd/dev/log and there were still no logs
>> for publickey denied, and if this idea was actually for sure true, why
>> would it show successful logins in the log and not unsuccessful logins
>> in the log?
>>
> I don't know the details, but I've done this and was then able to track
> down my kerberos issues.  Unsuccessful logins might not ever leave the
> chroot, they exit there and then.  Successful logins get a return
> somehow, likely via a pipe created earlier.
>
> It seams like this isn't working for you.  That's when I start ssh on
> another port under an strace...
>
> strace -f sshd -p 222
>
> Plus whatever other options.  Then ssh to port 222 and get the log of
> what happens...  This is how I originally discovered where I needed to
> place my syslog socket.

This document says /var/empty, that would make it /var/empty/dev/log. 
Use strace to check where the chroot is or set the location in the
sshd_config file, assuming there is an option for that.

http://www.citi.umich.edu/u/provos/ssh/privsep.html
Reply to: