[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#429243: marked as done (special syslogd configuration required in order to log messages from network child)

Your message dated Thu, 08 Sep 2011 00:03:23 +0000
with message-id <E1R1S5T-00085w-SE@franck.debian.org>
and subject line Bug#429243: fixed in openssh 1:5.9p1-1
has caused the Debian Bug report #429243,
regarding special syslogd configuration required in order to log messages from network child
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
429243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429243
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-server
Version: 1:4.6p1-1
Severity: grave

The openssh-server "unstable" upgrade yesterday made sshd stop logging
failures correcty to syslog.  If I successfully log in, then a message
is correctly printed in /var/log/auth.log like these:

Jun 16 09:04:39 ten22 sshd[28070]: Accepted password for brandon from ... port 49393 ssh2
Jun 16 09:07:42 ten22 sshd[28496]: Accepted publickey for brandon from ... port 38827 ssh2

But my many attempts to log in that resulted, on the client end, in
the message:

Permission denied (publickey).

left absolutely *no* trace in the logs!  I verified that the SSH
server was indeed answering these connections (and that they weren't
getting routed to the wrong machine or anything) by stopping it,
running it in debug mode (/usr/sbin/sshd -e -f) and then also under
strace(1), and seeing that it was indeed receiving the connection and
responding with a refusal to allow a connection.

Now: why was it refusing to let me log on with a password?  Password
logins had been succeeding since the machine was installed long ago;
what had changed?  Well, I am not sure whether SSH has changed or my
config files (I will check my backups), but I did find the directive
in /etc/ssh/sshd_config:

PasswordAuthentication no

How did that get there!?  And if it were there before, why was SSH
letting me in?  I had better check my backups right now, because I
guess that's an important question.  [Three minute pause.]  Well, how
odd!  "PasswordAuthentication no" has been my setting for as long as I
have been keeping backups, and yet SSH always permitted them!

I suppose I had the option turned off because the phrase "cleartext"
in the comment line above it made it sound like something bad.  But,
of course, it doesn't really mean "clear text"; the password in fact
is well-protected by the SSH stream encryption.

So: I have no complaint about SSH beginning to honor this option
correctly, since I suppose it should, but it would be nice if the
package had an extremely high-priority warning presented to the user
during pre-installation warning them that this option was to begin
being honored and the user had better adjust their sshd_config file
(if the install script detects that "PasswordAuthentication no" is
set, of course; the warning is irrelevant otherwise.)

Anyway, my real worry here - and the reason I have put "grave" as the
severity level - is that login failures appear to no longer be sent to
syslog, which seems a huge problem in the daemon that is protecting my
system at its most fundamental level.  Though, I must admit, it does
still seem to log failures *if* the method is password authentication;
but its not logging public-key-based failures still seems worrisome
enough to warrant immediate attention.

The log format seems to have changed, oddly enough; until the upgrade
it seems to have been saying, upon accepting a password,

May 16 10:28:19 ten22 sshd[11852]: Accepted keyboard-interactive/pam for brandon from ... port 36847 ssh2

but after the upgrade the messages changed to:

Jun 16 09:41:56 ten22 sshd[31175]: Accepted password for brandon from ... port 56485 ssh2

Again, public key failures - when that is the only method available -
result in no logging of the failed attempt.

My sshd_config looked like (before I changed "no" to "yes" as
described above):

------------------------------------------------------------------------
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
------------------------------------------------------------------------

-- 
Brandon Craig Rhodes   brandon@rhodesmill.org   http://rhodesmill.org/brandon

--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:5.9p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.9p1-1_i386.udeb
  to main/o/openssh/openssh-client-udeb_5.9p1-1_i386.udeb
openssh-client_5.9p1-1_i386.deb
  to main/o/openssh/openssh-client_5.9p1-1_i386.deb
openssh-server-udeb_5.9p1-1_i386.udeb
  to main/o/openssh/openssh-server-udeb_5.9p1-1_i386.udeb
openssh-server_5.9p1-1_i386.deb
  to main/o/openssh/openssh-server_5.9p1-1_i386.deb
openssh_5.9p1-1.debian.tar.gz
  to main/o/openssh/openssh_5.9p1-1.debian.tar.gz
openssh_5.9p1-1.dsc
  to main/o/openssh/openssh_5.9p1-1.dsc
openssh_5.9p1.orig.tar.gz
  to main/o/openssh/openssh_5.9p1.orig.tar.gz
ssh-askpass-gnome_5.9p1-1_i386.deb
  to main/o/openssh/ssh-askpass-gnome_5.9p1-1_i386.deb
ssh-krb5_5.9p1-1_all.deb
  to main/o/openssh/ssh-krb5_5.9p1-1_all.deb
ssh_5.9p1-1_all.deb
  to main/o/openssh/ssh_5.9p1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 429243@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Sep 2011 23:46:00 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.9p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 75043 76312 229124 429243 444691 498297 504757 560156 599240
Changes: 
 openssh (1:5.9p1-1) unstable; urgency=low
 .
   * New upstream release (http://www.openssh.org/txt/release-5.9).
     - Introduce sandboxing of the pre-auth privsep child using an optional
       sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
       mandatory restrictions on the syscalls the privsep child can perform.
     - Add new SHA256-based HMAC transport integrity modes from
       http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
     - The pre-authentication sshd(8) privilege separation slave process now
       logs via a socket shared with the master process, avoiding the need to
       maintain /dev/log inside the chroot (closes: #75043, #429243,
       #599240).
     - ssh(1) now warns when a server refuses X11 forwarding (closes:
       #504757).
     - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
       separated by whitespace (closes: #76312).  The authorized_keys2
       fallback is deprecated but documented (closes: #560156).
     - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
       ToS/DSCP (closes: #498297).
     - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
       - < /path/to/key" (closes: #229124).
     - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
     - Say "required" rather than "recommended" in unprotected-private-key
       warning (LP: #663455).
   * Update OpenSSH FAQ to revision 1.112.
Checksums-Sha1: 
 0ba9f1a9edfa3382d0bb8d46662171d3d69f3899 2262 openssh_5.9p1-1.dsc
 ac4e0055421e9543f0af5da607a72cf5922dcc56 1110014 openssh_5.9p1.orig.tar.gz
 97168246fc1a9b3377de171f14909bd6d78a672d 237065 openssh_5.9p1-1.debian.tar.gz
 fc55a383f87b5c4d8340424516e6cd32c50eeb7e 1037764 openssh-client_5.9p1-1_i386.deb
 a2c769a195a70fefb281d5f8499d83e641f0603d 339636 openssh-server_5.9p1-1_i386.deb
 55337e28e302f6a20f77ff2b9dadc906a26d84d4 1248 ssh_5.9p1-1_all.deb
 5f1c19ea1c8c4d87f33a28ffd1d550ddc48d6723 83452 ssh-krb5_5.9p1-1_all.deb
 dfda1d639fd38b0a2034c0edeef722196f0e1e4d 90930 ssh-askpass-gnome_5.9p1-1_i386.deb
 3f518a8c2e8170cbb05095427f361dfbe21b22fa 258686 openssh-client-udeb_5.9p1-1_i386.udeb
 9cb16057d691947ec282ad7590d56da6eaa12ca2 291406 openssh-server-udeb_5.9p1-1_i386.udeb
Checksums-Sha256: 
 ea680e24ff1dd762b6cbfb5435a8a72516dd7723aecd1d88c8de5a1d4461847b 2262 openssh_5.9p1-1.dsc
 8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3310cc32eba84c939b07777d5 1110014 openssh_5.9p1.orig.tar.gz
 b49c3539c20815557338dc4a20d44b4aa3a2b2c6a1c84af4fcae6670ed24d753 237065 openssh_5.9p1-1.debian.tar.gz
 453af7f76ad8e7ab72b2dac158cab923513c061fad0cac6342f11d894bdc20f3 1037764 openssh-client_5.9p1-1_i386.deb
 401a3d25c0611763bf43cefee2eaa52cfe56ef3093b4287eb40097e6f8a532d7 339636 openssh-server_5.9p1-1_i386.deb
 1d421348d13e33abe2f0a1a8cbd5056ffc198ca513429334295fc6cd4e4dc09d 1248 ssh_5.9p1-1_all.deb
 4d43ef9be6b94af2c2b79939d5d0e69b0486442790cc4e71781479b47d009141 83452 ssh-krb5_5.9p1-1_all.deb
 0483699f810a8f75ab5aca6e12cf1de45ed5d6cc4a27bc079fb14607f0ec84b0 90930 ssh-askpass-gnome_5.9p1-1_i386.deb
 6253bdc1f1311292eb8189733b2c2549ffe3748b40935c00bb9d8c3a55c3d6e2 258686 openssh-client-udeb_5.9p1-1_i386.udeb
 612bc799c4bf8d5110c3ab38ad944a95209a72528b2334ecedcdf4c41d0d9102 291406 openssh-server-udeb_5.9p1-1_i386.udeb
Files: 
 1eeb747651ca43d84013d4ed19fa6673 2262 net standard openssh_5.9p1-1.dsc
 afe17eee7e98d3b8550cc349834a85d0 1110014 net standard openssh_5.9p1.orig.tar.gz
 ae82efba18958ccd27ae0cb176291360 237065 net standard openssh_5.9p1-1.debian.tar.gz
 d901c07e5a89146b229503d4e2a7ecd9 1037764 net standard openssh-client_5.9p1-1_i386.deb
 f483c10831cc6ad016f328d2d9bbfdfb 339636 net optional openssh-server_5.9p1-1_i386.deb
 b83d4d08aebef3f4d4893dff49e1f6b4 1248 net extra ssh_5.9p1-1_all.deb
 16a6817cc68764309d961e54dda85b31 83452 net extra ssh-krb5_5.9p1-1_all.deb
 71d5db3e60bb2c5909b2951908d26f73 90930 gnome optional ssh-askpass-gnome_5.9p1-1_i386.deb
 a7a4fa8017a653f710179e404d082bf6 258686 debian-installer optional openssh-client-udeb_5.9p1-1_i386.udeb
 7a3384769372b751843da6843d8f82d6 291406 debian-installer optional openssh-server-udeb_5.9p1-1_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBTmgDcjk1h9l9hlALAQgK2A//YYdEfoC7aZO7BGCVr74wcFEizPsa8yBb
uAU5j21sGOkPQhvjAs13G6KlbC5E7ZArbKWgu5uL6uC/yyvp2pCMkhqnL4Ds0sf+
fZ2rWEbYOpGcx/ovRx5PKElhfNp656SpSqNMDGvqlP7Nmc6tU0gv9oBQ6zDJYI9l
Cz6RshQ1MMgeoTCiiOINJ2rWRu3e/kwEXhPxcnXc1wW22c5c3wcYDgsoWjm7NcCT
tpXacBK2b1VebfdlqcoLh3gcVQJ0eSkxuxSFTzChwR6sGxnLZvqKIll3Lt96FbnF
KZY0A9Mcv8iPOMXOsO5lrWs1wdCY9cuiRPhqUlsXeU1KkW3AsbOYitz51AyQL1EH
9wA6q4Kg/Au/IAEftNXUvgmxmvpDuwfFYvSZVP83s1gIk/uX+Ln/Y44ptKx1BKKb
D7Z+Dm5tDYFlcsym0foqlstqE/fIQErsCydDZZM5k4ZTPGRcYhxu8mrc5OiFsn8D
DWr8xutVL6EGl3TSk+xjseptz0U2b3+r3ltm9YOtt6JsAkeO1T1HUK/RWNgWWfK0
+XBvKNXlHIi8Dco1GwYn/fn4QdxJzN/W/IZVMsFe6FvYhXl+Czzgikz8D3LcY0L7
7MuK4QMhxq0Ot/rS20dd0+Mt4cNoZXjKCZptGOsTHc86NbJFTQArPQkkfjEr00A3
/XVJMDk+yjE=
=IbPg
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: