Bug#450655: marked as done (ssh: Insuficient logging when user isn't on the allowed group)
Your message dated Tue, 6 Sep 2011 10:32:42 +0100
with message-id <20110906093242.GA9641@riva.dynamic.greenend.org.uk>
and subject line Re: Bug#450655: ssh: Insuficient logging when user isn't on the allowed group
has caused the Debian Bug report #450655,
regarding ssh: Insuficient logging when user isn't on the allowed group
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
450655: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=450655
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: Insuficient logging when user isn't on the allowed group
- From: Aristeu Rozanski <aris@ruivo.org>
- Date: Thu, 08 Nov 2007 15:32:30 -0500
- Message-id: <20071108203230.9558452507@lobo.ruivo.org>
Package: ssh
Version: 1:3.8.1p1-8.sarge.6
Severity: normal
When ssh server is configured to only allow a certain group of users to
login:
AllowGroups ssh
any user trying to login will be logged with insufficient information:
Nov 8 13:31:09 lobo sshd[31794]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:13 lobo sshd[31796]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:17 lobo sshd[31798]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 13:31:21 lobo sshd[31800]: User root not allowed because none of user's groups are listed in AllowGroups
this is a problem if you're using a tool such fail2ban, which can't
extract the ip address to ban it from accessing the ssh service. To fix
this, I had to switch the ssh server log level to VERBOSE:
SyslogFacility AUTH
LogLevel VERBOSE
Now I get something usable:
Nov 8 14:09:51 lobo sshd[1185]: Connection from xx.xxx.xxx.xxx port 54850
Nov 8 14:10:03 lobo sshd[1185]: User root not allowed because none of user's groups are listed in AllowGroups
Nov 8 14:10:29 lobo sshd[1189]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxxxxxxxxxxxx.com user=root
Nov 8 14:10:31 lobo sshd[1185]: error: PAM: Authentication failure for illegal user root from xxxxxxxxxxxxxxxxxxx.com
Nov 8 14:10:31 lobo sshd[1185]: Failed keyboard-interactive/pam for illegal user root from xx.xxx.xxx.xxx port 54850 ssh2
I'm attaching the sshd_config just in case
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel VERBOSE
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server
AllowGroups ssh
UsePAM yes
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge5 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
--- End Message ---
--- Begin Message ---
- To: 450655-done@bugs.debian.org
- Subject: Re: Bug#450655: ssh: Insuficient logging when user isn't on the allowed group
- From: Colin Watson <cjwatson@debian.org>
- Date: Tue, 6 Sep 2011 10:32:42 +0100
- Message-id: <20110906093242.GA9641@riva.dynamic.greenend.org.uk>
- In-reply-to: <20071108203230.9558452507@lobo.ruivo.org>
- References: <20071108203230.9558452507@lobo.ruivo.org>
Source: openssh
Source-Version: 1:4.0p1-1
On Thu, Nov 08, 2007 at 03:32:30PM -0500, Aristeu Rozanski wrote:
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.6
> Severity: normal
>
> When ssh server is configured to only allow a certain group of users to
> login:
> AllowGroups ssh
> any user trying to login will be logged with insufficient information:
> Nov 8 13:31:09 lobo sshd[31794]: User root not allowed because none of user's groups are listed in AllowGroups
This was fixed some years ago in OpenSSH 4.0:
revision 1.3622
date: 2005/01/24 10:56:48; author: dtucker; state: Exp; lines: +5 -1
- dtucker@cvs.openbsd.org 2005/01/22 08:17:59
[auth.c]
Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@
See https://bugzilla.mindrot.org/show_bug.cgi?id=909.
Thanks,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---
Reply to: