[Logwatch] sshd illegal user with keys

Markus Lude lude at informatik.uni-tuebingen.de
Wed Jul 26 09:11:43 MST 2006


On Wed, Jul 26, 2006 at 03:26:29PM +0200, Michael Rolli wrote:
> > Can you show the raw logs?
> Sure:
> 
> snippet showing 1 login with keys:
> Jul 26 12:35:40 myhost sshd[2759]: Postponed publickey for root from  
> 192.168.30.199 port 49320 ssh2
> Jul 26 14:35:41 myhost sshd[2758]: Accepted publickey for root from  
> 192.168.30.199 port 49320 ssh2
> Jul 26 12:35:41 myhost sshd[2759]: Accepted publickey for root from  
> 192.168.30.199 port 49320 ssh2
> Jul 26 14:35:41 myhost sshd[2760]: pam_unix(sshd:session): session  
> opened for user root by root(uid=0)
> 
> Focus on the times. I logged in 14:35:41 (localtime). It seems as 2  
> lines were logged with UTC while the other two in localtime. Bug in  
> sshd? I don't know. I'll investigate this further.
> Anyway, Logwatch seems to work.
> Anyhow. The two illegals are generated because the two lines at 12:35  
> are not logical in time, are they?

The illegal is generated because of a match for "Postponed ..."

Interestingly log entries like
... Postponed keyboard-interactive for $user from
were ignored if there is $user doesn't contain any space, but logins per
publickey were handled different. I think, we could ignore this too in
logwatch. I attach a patch for this.

The duplicate log entries for "Accepted ..." with different times seems
to be a problem with ssh. Also see bug report for FC5
  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193184

> Regards
> Michael

Regards,
Markus

-------------- next part --------------
--- sshd.61	2006-07-26 17:51:42.000001000 +0200
+++ sshd	2006-07-26 18:03:32.000001000 +0200
@@ -189,7 +189,7 @@
        ($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
        ($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
        ($ThisLine =~ m/Connection from .* port /) or
-       ($ThisLine =~ m/Postponed keyboard-interactive for [^ ]+ from [^ ]+/) or
+       ($ThisLine =~ m/Postponed (keyboard-interactive|publickey) for [^ ]+ from [^ ]+/) or
        ($ThisLine =~ m/Read from socket failed/) or
        ($ThisLine =~ m/sshd startup\s+succeeded/) or
        ($ThisLine =~ m/sshd shutdown\s+succeeded/) or


More information about the Logwatch mailing list