[Bug 501956] Re: OpenSSH does not log failed attempts when key authentication is used

Don Reid don at bunfight.net
Thu Feb 18 21:45:42 GMT 2010


To summarize:

LogLevel INFO
RSAAuthentication yes
PubkeyAuthentication yes
HostbasedAthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
AllowUsers lukeskywalker

[1] The decision to log the error is made in procedure "auth_log" in "auth.c":
   /* Raise logging level */
   if (authenticated == 1 ||
       !authctxt->valid ||
       authctxt->failures >= options.max_authtries / 2 ||
       strcmp(method, "password") == 0)
           authlog = logit;

When account exists but does not have a trusted pubkey on the server the
variables have the following values:

"auth_log" decision has the following values:
   authenticated ......... 0
   authctxt->valid ....... 1
   authctxt->failures .... 0
   options.max_authtries . 6
   method ................ publickey

Which translates to:
   if (0 == 1 ||
       ! 1 ||
       0 >= 6 / 2 ||
       1 == 0)
           authlog = logit;

So authlog cannot escalate to the logit function (nothing in auth.log)

I suggest ADDING the following change between "/* Raise logging level
*/" and the start of the if statement that immediately followed it:

  if (!authenticated &&
      authctxt-->valid  &&
      strcmp(method, "publickey") == 0)
           authlog = logit;

There seems to be an alternative train of thought from the 2005 portable
bug associated with this report. I guess that was never implemented
(please add comments if you know the history).

Regards, Don.

-- 
OpenSSH does not log failed attempts when key authentication is used
https://bugs.launchpad.net/bugs/501956
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.



More information about the Ubuntu-server-bugs mailing list