Re: OpenSSH not logging denied public keys, even with logging set to verbose.
On Thu, Mar 1, 2012 at 8:18 PM, Mike Mestnik <cheako@mikemestnik.net> wrote:
> On 03/01/12 18:57, Russell Coker wrote:
>> On Fri, 2 Mar 2012, Jordon Bedwell <envygeeks@gmail.com> wrote:
>>>> Run the command below.
>>>>
>>>> grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?
>>>>
>>>> If you don't get 1 as output, your sshd is compromised.
>>> It returned 1, this happens on freshly installed Debian and Ubuntu too
>>> though, tested it on Ubuntu too.
>> http://etbe.coker.com.au/2011/12/31/server-cracked/
>>
>> If you havd a sshd that is compromised in the same way as one was on one of my
>> servers then Anibal's command will give an output of 0.
>>
>> I don't know what relevance this has to a discussion of OpenSSH logging
>> though.
>>
>> I'd like to have OpenSSH log the email address field from a key that was used
>> for login so I could see something like "ssh key russell@coker.com.au was used
>> to login to account rjc" in my logs.
>>
> >From what I know that information(the comment on the key) is not vary
> secure, Joe could put Bob as his comment...
>
> However one could so a look-up on the key from a key-server and get the
> email address that way. This is assuming that ppl are using there
> gpg(email) keys for ssh.
I don't know if the chroot idea is legitimate or not, but i went ahead
and started a logger in /run/sshd/dev/log and there were still no logs
for publickey denied, and if this idea was actually for sure true, why
would it show successful logins in the log and not unsuccessful logins
in the log?
Reply to: