Bug#450655: ssh: Insuficient logging when user isn't on the allowed group
Package: ssh
Version: 1:3.8.1p1-8.sarge.6
Severity: normal
When ssh server is configured to only allow a certain group of users to
login:
AllowGroups ssh
any user trying to login will be logged with insufficient information:
Nov 8 13:31:09 lobo sshd[31794]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:13 lobo sshd[31796]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:17 lobo sshd[31798]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:21 lobo sshd[31800]: User root not allowed because none of user's groups are listed in AllowGroups
this is a problem if you're using a tool such fail2ban, which can't
extract the ip address to ban it from accessing the ssh service. To fix
this, I had to switch the ssh server log level to VERBOSE:
SyslogFacility AUTH
LogLevel VERBOSE
Now I get something usable:
Nov 8 14:09:51 lobo sshd[1185]: Connection from xx.xxx.xxx.xxx port 54850
Nov 8 14:10:03 lobo sshd[1185]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 14:10:29 lobo sshd[1189]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxxxxxxxxxxxx.com user=root
Nov 8 14:10:31 lobo sshd[1185]: error: PAM: Authentication failure for illegal user root from xxxxxxxxxxxxxxxxxxx.com
Nov 8 14:10:31 lobo sshd[1185]: Failed keyboard-interactive/pam for illegal user root from xx.xxx.xxx.xxx port 54850 ssh2
I'm attaching the sshd_config just in case
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel VERBOSE
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server
AllowGroups ssh
UsePAM yes
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge5 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
Reply to: