Tags Tags

OpenSSH not logging denied public keys, even with logging set to verbose.

March 01st, 2012 - 07:40 am ET by Jordon Bedwell | Report spam
Help Create a new topic
SSH Version: OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010

part of the config:
compression yes
maxauthtries 1
port 22
listenaddress 10.6.18.80
protocol 2
useprivilegeseparation yes
syslogfacility AUTH
loglevel VERBOSE
logingracetime 30
permitrootlogin yes
strictmodes yes
rsaauthentication no
publickeyauthentication yes
authorizedkeysfile %h/.ssh/authorized_keys
permitemptypasswords no
passwordauthentication no
x11forwarding no
printlastlog yes
tcpkeepalive yes
acceptenv LANG LC_*
usepam yes
allowusers root git

It seems like no matter what I try (even DEBUG3) it cannot get it to
spit out publickey denied so that we can ban with our banning daemons.
I am at a loss since I've tried everything that I can think of.


To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAM5XQnzH5G...EXJmydLUCQ@mail.gmail.com
email Follow the discussionReplies 12 repliesReplies Make a reply

Similar topics

Replies

#1 Jordon Bedwell
March 01st, 2012 - 08:00 am ET | Report spam
On Thu, Mar 1, 2012 at 6:31 AM, Taz wrote:
rsaauthentication no


change this to yes



I'm at a loss, how is setting an option that does not even apply to us
(since we use Protocol 2 and that option is moot for us anyways) going
to fix a logging issue? Perhaps I need to be more explicit and I am
sorry if I was too brief and didn't explain the situation very well.

I am able to login with no problem using our keys, rsaauthentication
is not the problem and never will be. The problem is I cannot get
sshd to log publickey denied errors to /var/log/auth.log so our
daemons can ban these users. I want to know what happened to messages
like "publickey denied for [user] from [ip]" I cannot get it to log
those messages at all no matter the logging level.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAN5oe&YXWbeuA51X8cgpW
Replies Reply to this message
#2 AnĂ­bal Monsalve Salazar
March 01st, 2012 - 04:10 pm ET | Report spam
On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote:
The problem is I cannot get sshd to log publickey denied errors to
/var/log/auth.log so our daemons can ban these users. I want to know
what happened to messages like "publickey denied for [user] from [ip]"
I cannot get it to log those messages at all no matter the logging
level.



Run the command below.

grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?

If you don't get 1 as output, your sshd is compromised.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#3 Mike Mestnik
March 01st, 2012 - 04:50 pm ET | Report spam
On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote:
On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote:

The problem is I cannot get sshd to log publickey denied errors to
/var/log/auth.log so our daemons can ban these users. I want to know
what happened to messages like "publickey denied for [user] from [ip]"
I cannot get it to log those messages at all no matter the logging
level.






The chroot dosn't have a socket to log to...

Have syslog listen on something like: /var/run/sshd/dev/log

Run the command below.

grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?

If you don't get 1 as output, your sshd is compromised.







To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#4 Jordon Bedwell
March 01st, 2012 - 07:30 pm ET | Report spam
2012/3/1 Aníbal Monsalve Salazar :
On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote:
The problem is I cannot get sshd to log publickey denied errors to
/var/log/auth.log so our daemons can ban these users.  I want to know
what happened to messages like "publickey denied for [user] from [ip]"
I cannot get it to log those messages at all no matter the logging
level.



Run the command below.

 grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $?

If you don't get 1 as output, your sshd is compromised.



It returned 1, this happens on freshly installed Debian and Ubuntu too
though, tested it on Ubuntu too.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAN5oe=2yQy...SFiQrPvbB+
Replies Reply to this message
#5 Bedwell, Jordon
March 01st, 2012 - 07:30 pm ET | Report spam
On Thu, Mar 1, 2012 at 3:16 PM, Mike Mestnik wrote:
On 03/01/2012 02:51 PM, Aníbal Monsalve Salazar wrote:

On Thu, Mar 01, 2012 at 06:56:07AM -0600, Jordon Bedwell wrote:


The problem is I cannot get sshd to log publickey denied errors to
/var/log/auth.log so our daemons can ban these users.  I want to know
what happened to messages like "publickey denied for [user] from [ip]"
I cannot get it to log those messages at all no matter the logging
level.








The chroot dosn't have a socket to log to...
Have syslog listen on something like: /var/run/sshd/dev/log



There is no chroot. I hope I didn't imply there was or is one.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAN5oe=2Zuw...ctOBRvhNp=
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search