View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007294 | Rocky-Linux-8 | openssh | public | 2024-06-18 21:06 | 2024-06-18 21:06 |
| Reporter | Greg B | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | x86_64 | OS | Rocky Linux | OS Version | 8 |
| Summary | 0007294: OpenSSH records failed logins to /var/log/btmp for successful two-factor logins | ||||
| Description | OpenSSH, or perhaps a PAM module it is calling out to, is recording failed logins to /var/log/btmp when the actual login was successful. This happens when both password and publickey are used in a multifactor configuration, when password authentication is done first, then publickey. This is a mild security issue, because false reports of failed logins will cause the user to no longer notice failed logins. | ||||
| Steps To Reproduce | 1. Configure sshd with the following: AuthenticationMethods password,publickey (The order is significant - this problem does not apparently happen when the order is publickey,password.) 2. Restart sshd. 3. Log in with a successful password and publickey. 4. pam_lastlog.so reports either one or two failed logins (this seems to be a timing issue - sometimes just one failed login is reported, sometimes two, depending on the exact timestamps involved) 5. The lastb command confirms that a failed login was recorded to /var/log/btmp Also, set LogLevel VERBOSE to view logs as I have provided them here. | ||||
| Additional Information | From /var/log/secure: (sanitized) Jun 18 12:44:10 hostname sshd[pid]: Connection from client-ip port client-port on server-ip port server-port Jun 18 12:44:13 hostname sshd[pid]: Partial password for username from client-ip port client-port ssh2 Jun 18 12:44:13 hostname sshd[pid]: Accepted key key-id found at /home/username/.ssh/authorized_keys:1 Jun 18 12:44:13 hostname sshd[pid]: Postponed publickey for username from client-ip port client-port ssh2 [preauth] Jun 18 12:44:14 hostname sshd[pid]: Accepted key key-id found at /home/username/.ssh/authorized_keys:1 Jun 18 12:44:14 hostname sshd[pid]: Accepted publickey for username from client-ip port client-port key-id Jun 18 12:44:14 hostname sshd[pid]: pam_unix(sshd:session): session opened for user username by (uid=0) From the lastb command: (sanitized) username ssh:notty client-ip Tue Jun 18 12:44 - 12:44 (00:00) OpenSSH version: openssh-8.0p1-24.el8.x86_64 | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-06-18 21:06 | Greg B | New Issue |
