148342 – Failure in DNS doesnt show failed ssh logins

Bug 148342 - Failure in DNS doesnt show failed ssh logins

Summary: Failure in DNS doesnt show failed ssh logins

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	SUSE Linux 10.1
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Enhancement (vote)
Target Milestone:	unspecified
Assignee:	Anna Maresova
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2006-02-06 10:16 UTC by Klaus Singvogel
Modified:	2008-04-17 07:40 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Klaus Singvogel 2006-02-06 10:16:56 UTC

I noticed that a failure in the reverse DNS name resolution doesn't report more information on the ssh login: if it failed or succeeded.
This is bad, because the more important information is hidden behind some less important information.

Please note: this is openssh-4.1p1 (SuSE 10.0)

I find in the logfile messages:
Jan 28 00:28:16 tuxhost sshd[27875]: Address 64.37.78.21 maps to gr2.georapid.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

But I want to see this:
Jan 28 00:28:16 tuxhost sshd[27875]: Invalid user test from 64.37.78.21

Comment 1 Petr Ostadal 2006-02-06 12:13:28 UTC

it could be only feature request for 10.1 or maybe later (not bug report)

Comment 2 Petr Ostadal 2006-02-06 13:06:15 UTC

When I quick look into code I found that "Invalid user" is logged after "POSSIBLE BREAKIN ATTEMPT!" message if login failed, but I can't check it.

Comment 3 Klaus Singvogel 2006-02-06 15:50:59 UTC

I looked again through my logfile: sometimes there is an "Invalid user" line, sometimes there is none.

When the above messages occurred, my login-blocker didn't work, because of the missing "Invalid user" lines. This resulted in several hundreds (thousands?) lines of "POSSIBLE BREAKIN ATTEMPT!" in the logfile. But my blocker should limit this to 10-20 lines...

Comment 4 Petr Ostadal 2006-02-08 19:59:59 UTC

yes, when there isn't "Invalid user" it means the login successed (I tested and it works well).

Now, I don't understand, where is the problem.

Comment 5 Klaus Singvogel 2006-02-09 08:37:23 UTC

No, there wasn't a successful login.
Neither a "Accepted keyboard-interactive/pam for [...]" nor a "Accepted publickey for" is in the logfile, nor a corresponding wtmp entry is present.

The problem is this: I see several hundreds connections to the sshd daemon in the logfile, but I don't see the "Invalid user [...] from [...]" in the logfile. I assume that the reason for the missing entry is this: reporting an invalid IP address, stops logging about the invalid user name.

Comment 6 Petr Ostadal 2006-10-12 08:31:05 UTC

Could you check rpms from FACTORY? Some changes touch this area.

Comment 7 Klaus Singvogel 2006-10-17 08:25:11 UTC

Sorry, but I'm unable to do so.

This happened on my private server, which needs a stable version, as it is running in so called "productivity mode".
I have only a remote access to this machine (and no physical access to the console). Therefore I need a stable ssh version running there.
So I'm unable to test this. Sorry.

Thanks for understanding.

Comment 8 Anna Maresova 2008-04-17 07:40:08 UTC

I have finally found the time to try to reproduce this old bug with openssh 4.7p1. I have broken my PTR, tried to connect with invalid user and my logfile looks fine. I believe that the bug has been fixed meanwhile, if not, please reopen.