Hi Chris!
On Fri, 15 Feb 2002, Chris Evans wrote:
> I think this belongs on d.-user not the security or ssh lists.
>
> Thanks to people who helped point me to logcheck, I saw my first
> attempted login from outside today. At least, I'm pretty sure that's
> what I saw but I am seeking some information about what gets logged
> by sshd.
no expert here, but i think this is pam logging as pam is used for
authentification for ssh, login, su, sudo et al.
> What I see in auth.log is (consecutive lines):
> Feb 14 23:19:29 www sshd[438]: Did not receive ident string from
> xxx.yy.zzz.uu (actual number removed in case!)
> I think that's an usuccessful attempt to log in, am I right?
>
> Feb 14 23:49:32 www sshd[242]: Generating new 768 bit RSA key.
> Feb 14 23:49:33 www sshd[242]: RSA key generation complete.
> don't understand why sshd did that then, 30 minutes later
ssh generates new server RSA keys every once in a while. these RSA keys
are never written to disk and are generated from you (usually 1024 bit)
host key.
> then the next lines are me testing what happens if I try to do
> an illegal login:
> Feb 15 07:36:08 www su[1154]: + ??? root-www-data
> Feb 15 07:36:08 www PAM_unix[1154]: (su) session opened for user www-
> data by (uid=0)
> which looks alarming but I was slung out by shell being
> /usr/bin/false or by fact I didn't give right password
apache started by root?
> Feb 15 07:36:08 www su[1174]: + ??? root-nobody
> Feb 15 07:36:08 www PAM_unix[1174]: (su) session opened for user
> nobody by (uid=0)
> ditto
a daemon running as user nobody started from user root (could be via
inetd, xinetd, cron...)
> Feb 15 07:55:52 www sshd[1375]: Accepted password for xxxxxxx from
> zzz.zzz.zzz.zzz port yyyy
>
> That last line seems to be the logging of a successful login and it's
> very reassuringly different from the one from someone else, from an
> outside IP address.
>
> I had a look in the ssh documentation (which points to various dead
> URLs) but couldn't find anything detailed on logging messages. I
> don't think my programming is up to reading the source package to see
> if that would tell me.
as stated above i think you're looking at the wrong documentation. check
out the pam docs.
> I'm also under the impression that sshd generates new keys when
> restarted and at intervals, does anyone know if that is right?
yes, that's correct (see man sshd: SSH protocol version 1 ).
yours martin
--
<martin@wuertele.net> ------------------------------ NO HTML MAILS PLEASE
PGP/GPG encrypted and signed messages preferred
Attachment:
pgp58FxAlRzxQ.pgp
Description: PGP signature