Bug 148342

Summary: Failure in DNS doesnt show failed ssh logins
Product: [openSUSE] SUSE Linux 10.1 Reporter: Klaus Singvogel <kssingvo>
Component: SecurityAssignee: Anna Maresova <anicka>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: suse-beta
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Klaus Singvogel 2006-02-06 10:16:56 UTC 
I noticed that a failure in the reverse DNS name resolution doesn't report more information on the ssh login: if it failed or succeeded.
This is bad, because the more important information is hidden behind some less important information.

Please note: this is openssh-4.1p1 (SuSE 10.0)

I find in the logfile messages:
Jan 28 00:28:16 tuxhost sshd[27875]: Address 64.37.78.21 maps to gr2.georapid.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

But I want to see this:
Jan 28 00:28:16 tuxhost sshd[27875]: Invalid user test from 64.37.78.21
Comment 1 Petr Ostadal 2006-02-06 12:13:28 UTC 
it could be only feature request for 10.1 or maybe later (not bug report)
Comment 2 Petr Ostadal 2006-02-06 13:06:15 UTC 
When I quick look into code I found that "Invalid user" is logged after "POSSIBLE BREAKIN ATTEMPT!" message if login failed, but I can't check it.
Comment 3 Klaus Singvogel 2006-02-06 15:50:59 UTC 
I looked again through my logfile: sometimes there is an "Invalid user" line, sometimes there is none.

When the above messages occurred, my login-blocker didn't work, because of the missing "Invalid user" lines. This resulted in several hundreds (thousands?) lines of "POSSIBLE BREAKIN ATTEMPT!" in the logfile. But my blocker should limit this to 10-20 lines...
Comment 4 Petr Ostadal 2006-02-08 19:59:59 UTC 
yes, when there isn't "Invalid user" it means the login successed (I tested and it works well).

Now, I don't understand, where is the problem.
Comment 5 Klaus Singvogel 2006-02-09 08:37:23 UTC 
No, there wasn't a successful login.
Neither a "Accepted keyboard-interactive/pam for [...]" nor a "Accepted publickey for" is in the logfile, nor a corresponding wtmp entry is present.

The problem is this: I see several hundreds connections to the sshd daemon in the logfile, but I don't see the "Invalid user [...] from [...]" in the logfile. I assume that the reason for the missing entry is this: reporting an invalid IP address, stops logging about the invalid user name.
Comment 6 Petr Ostadal 2006-10-12 08:31:05 UTC 
Could you check rpms from FACTORY? Some changes touch this area.
Comment 7 Klaus Singvogel 2006-10-17 08:25:11 UTC 
Sorry, but I'm unable to do so.

This happened on my private server, which needs a stable version, as it is running in so called "productivity mode".
I have only a remote access to this machine (and no physical access to the console). Therefore I need a stable ssh version running there.
So I'm unable to test this. Sorry.

Thanks for understanding.
Comment 8 Anna Maresova 2008-04-17 07:40:08 UTC 
I have finally found the time to try to reproduce this old bug with openssh 4.7p1. I have broken my PTR, tried to connect with invalid user and my logfile looks fine. I believe that the bug has been fixed meanwhile, if not, please reopen.