Bug#722970: fail2ban: adapt to OpenSSH 6.3

Sat, 14 Sep 2013 16:51:36 -0700 

cool -- thanks Colin for the heads up.
I guess that is the code:
    authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
        authmsg,
        method,
        submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
        authctxt->valid ? "" : "invalid user ",
        authctxt->user,
        get_remote_ipaddr(),
        get_remote_port(),
        compat20 ? "ssh2" : "ssh1",
        authctxt->info != NULL ? ": " : "",
        authctxt->info != NULL ? authctxt->info : "");


would you happen to have a sample log line(s)?   removal anchoring at the end
might not be ideal here due to a '.*' in the middle thus a bit more analysis is
needed on how exactly trailing line could look like and what info could be
logged there so we do not end up opening it up for injection attacks.

Cheers!

On Sun, 15 Sep 2013, Colin Watson wrote:

> Package: fail2ban
> Version: 0.8.10-3
> Severity: important

> config/filter.d/sshd.conf has:

>             ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: 
> ssh\d*)?\s*$

> This is likely to break with OpenSSH 6.3:

>  * sshd(8): standardise logging of information during user authentication.

>    The presented key/cert and the remote username (if available) is now
>    logged in the authentication success/failure message on the same log
>    line as the local username, remote host/port and protocol in use.
>    Certificates contents and the key fingerprint of the signing CA are
>    logged too.

>    Including all relevant information on a single line simplifies log
>    analysis as it is no longer necessary to relate information scattered
>    across multiple log entries.

> I'd suggest just dropping the "\s*$" from the end of the regex.

> I intend to upload OpenSSH 6.3 to unstable quite soon (days).  If you
> can fix this reasonably quickly and would like me to add a Breaks field
> to try to make sure people upgrade to a new version of fail2ban at the
> same time, please let me know.
-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate,     Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to