On Sat, Sep 14, 2013 at 07:48:49PM -0400, Yaroslav Halchenko wrote:
> cool -- thanks Colin for the heads up.
> I guess that is the code:
> authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
> authmsg,
> method,
> submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
> authctxt->valid ? "" : "invalid user ",
> authctxt->user,
> get_remote_ipaddr(),
> get_remote_port(),
> compat20 ? "ssh2" : "ssh1",
> authctxt->info != NULL ? ": " : "",
> authctxt->info != NULL ? authctxt->info : "");
>
>
> would you happen to have a sample log line(s)? removal anchoring at the end
> might not be ideal here due to a '.*' in the middle thus a bit more analysis
> is
> needed on how exactly trailing line could look like and what info could be
> logged there so we do not end up opening it up for injection attacks.
Sorry for my delay. Here are a couple of samples:
(ssh to invalid user; this matches the previous pattern)
Nov 8 13:33:15 unstable sshd[2825]: Failed password for invalid user fake from
10.0.3.1 port 59419 ssh2
(successful authentication; wouldn't match here but shows the kind of
extra information provided)
Nov 8 13:38:43 unstable sshd[2861]: Accepted publickey for cjwatson from
10.0.3.1 port 59437 ssh2: RSA 20:a0:6f:22:67:30:0f:a7:a9:f4:93:e6:7d:bd:ae:59
As far as I can tell from a search through the code the extra
information provided after the colon-space could currently be:
ruser <client user (any string, supplied by client)>
(SSH1, rhosts/RSA)
<key type> ID <key ID> (serial <number>) CA <key type> <fingerprint>
(SSH2, pubkey, CA key, no hostbased auth)
<key type> ID <key ID> (serial <number>) CA <key type> <fingerprint>, client
user "<user>", client host "<host>"
(SSH2, pubkey, CA key, hostbased auth)
<key type> <fingerprint>
(SSH2, pubkey, not a CA key, no hostbased auth)
<key type> <fingerprint>, client user "<user>", client host "<host>"
(SSH2, pubkey, not a CA key, hostbased auth)
I don't think it's really a good idea to special-case all of these,
because these are quite likely to be adjusted or extended in future.
I take your point about avoiding injection attacks, though, given that
some of these can be supplied by the client; I assume your concern is
that somebody could inject a different host name in their failure and
thus evade bans. How about just using ".*?" in the middle rather than
".*", then? The true host name will always come first. That would
result in:
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?
Thanks,
--
Colin Watson [cjwat...@debian.org]
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
