reverse mapping check; authentication methods

This is a discussion on reverse mapping check; authentication methods within the OpenSSH Development forums, part of the Networking and Network Related category; Hello all, My logs get filled with bogus SSH connection attemps which I'd expect should have been denied without ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page reverse mapping check; authentication methods

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-29-2007
Pekka Savola
 
Posts: n/a
Default reverse mapping check; authentication methods
Hello all,

My logs get filled with bogus SSH connection attemps which I'd expect
should have been denied without logging, so a couple of observations.
Syslog has lots of entries like:

Aug 29 02:23:31 otso sshd[21000]: reverse mapping checking getaddrinfo for
powered.by.e-leven.be [78.110.207.104] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 29 02:23:31 otso sshd[21000]: Invalid user upload from 78.110.207.104

and these also show as multiple 'lastb' entries in btmp:

upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00)
....

This is a bit unexpected for two reasons: AllowUsers directive exists
and these users aren't listed there, and PasswordAuthentication is
disabled for them [1]. Yet they clutter the logs.

Looking at the code, it seems that the getaddrinfo failures don't seem
to result in the connection being rejected, even though the man page
would seem to indicate so[2] though is not explicit about it. It also
seems that the possible authentication methods are only checked
(do_authloop in SSH1) after it has been verified whether the user
exists (causing these log messages). Likewise, in auth.c getpwnam()
is executed for the attempted user even if the user is not listed in
AllowUsers.

Would it make sense to check the usernames and hosts later, avoiding
unnecessary log clutter? Or is all of this intentional and due to
trying to avoid being able to use SSH to divulge whether a user is
allowed to log in or not?

[1] config is substantially as follows:
==8<===
Protocol 2,1

AllowUsers foo bar
PasswordAuthentication no

Match Host *.fi
PasswordAuthentication yes
Match Host 2002:*
PasswordAuthentication yes
==8<===

[2]
UseDNS Specifies whether sshd(8) should look up the remote host name
and check that the resolved host name for the remote IP address maps
back to the very same IP address. The default is "yes".

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:55 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0