Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509010 - net-misc/openssh should by default log public key failures
Summary: net-misc/openssh should by default log public key failures
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Team for Core System packages
URL: http://marc.info/?l=openssh-unix-dev&...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-28 20:41 UTC by Joe Kane
Modified: 2015-03-22 05:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Kane 2014-04-28 20:41:08 UTC
<snip>
with more and more bruteforce toys being available online I do wonder if
this kind of thing really ought to be at a higher volume to alert that
unknown keys are being used on systems.  with lost/stolen keys I would
imagine most people would delete and recreate rather than making use of
RevokedKeys, and so not know if folks are silently trying to connect to
their hosts.
I do appreciate though that many machines will try their public keys
first and thus possibly create unnecessary noise in logs.
</snip>

Reproducible: Always

Steps to Reproduce:
1.emerge openssh
2.configure for public key 
3.use wrong identity
4.see connection but not failure in log
Actual Results:  
sshd syslog shows connection but not failure

Expected Results:  
sshd logs "failed public key for user root" or "public key not found"

can this be made a gentoo specific patch while waiting for upstream
Comment 1 Joe Kane 2014-04-28 20:44:45 UTC
maybe if not a patch a warning on emerge openssh that you must have loglevel verbose as a minimum if you intend to use publickeys to catch bad guys
Comment 2 SpanKY gentoo-dev 2014-04-29 19:13:02 UTC
i don't think we want to turn up the log level to verbose by default, and i don't really want to maintain a patch for this, so elog is about the only thing we'd add at this point in time
Comment 3 SpanKY gentoo-dev 2015-03-22 05:35:53 UTC
requests for changes to the default logging behavior should go here:
  https://bugzilla.mindrot.org/