Package: openssh-server Version: 1:4.6p1-1 Severity: grave The openssh-server "unstable" upgrade yesterday made sshd stop logging failures correcty to syslog. If I successfully log in, then a message is correctly printed in /var/log/auth.log like these:
Jun 16 09:04:39 ten22 sshd[28070]: Accepted password for brandon from ... port 49393 ssh2 Jun 16 09:07:42 ten22 sshd[28496]: Accepted publickey for brandon from ... port 38827 ssh2 But my many attempts to log in that resulted, on the client end, in the message: Permission denied (publickey). left absolutely *no* trace in the logs! I verified that the SSH server was indeed answering these connections (and that they weren't getting routed to the wrong machine or anything) by stopping it, running it in debug mode (/usr/sbin/sshd -e -f) and then also under strace(1), and seeing that it was indeed receiving the connection and responding with a refusal to allow a connection. Now: why was it refusing to let me log on with a password? Password logins had been succeeding since the machine was installed long ago; what had changed? Well, I am not sure whether SSH has changed or my config files (I will check my backups), but I did find the directive in /etc/ssh/sshd_config: PasswordAuthentication no How did that get there!? And if it were there before, why was SSH letting me in? I had better check my backups right now, because I guess that's an important question. [Three minute pause.] Well, how odd! "PasswordAuthentication no" has been my setting for as long as I have been keeping backups, and yet SSH always permitted them! I suppose I had the option turned off because the phrase "cleartext" in the comment line above it made it sound like something bad. But, of course, it doesn't really mean "clear text"; the password in fact is well-protected by the SSH stream encryption. So: I have no complaint about SSH beginning to honor this option correctly, since I suppose it should, but it would be nice if the package had an extremely high-priority warning presented to the user during pre-installation warning them that this option was to begin being honored and the user had better adjust their sshd_config file (if the install script detects that "PasswordAuthentication no" is set, of course; the warning is irrelevant otherwise.) Anyway, my real worry here - and the reason I have put "grave" as the severity level - is that login failures appear to no longer be sent to syslog, which seems a huge problem in the daemon that is protecting my system at its most fundamental level. Though, I must admit, it does still seem to log failures *if* the method is password authentication; but its not logging public-key-based failures still seems worrisome enough to warrant immediate attention. The log format seems to have changed, oddly enough; until the upgrade it seems to have been saying, upon accepting a password, May 16 10:28:19 ten22 sshd[11852]: Accepted keyboard-interactive/pam for brandon from ... port 36847 ssh2 but after the upgrade the messages changed to: Jun 16 09:41:56 ten22 sshd[31175]: Accepted password for brandon from ... port 56485 ssh2 Again, public key failures - when that is the only method available - result in no logging of the failed attempt. My sshd_config looked like (before I changed "no" to "yes" as described above): ------------------------------------------------------------------------ # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Change to yes to enable tunnelled clear text passwords PasswordAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes ------------------------------------------------------------------------ -- Brandon Craig Rhodes [EMAIL PROTECTED] http://rhodesmill.org/brandon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
