[Logcheck-devel] Bug#743000: Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication

[Philou]

Hi Alberto,

You mean, which ssh option ? Default sshd configuration on the
server, it's just that, as i'm using key exchange authentication, some
text is appended at the end of the syslog message ": RSA
e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c", and as such the very
first regex of i.s.d/ssh won't match

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted
(gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased)
for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?$

As a temporary solution, I removed the "$" at the end of the regex, so
that it matches anything that comes after "ssh2". So it works whether
i'm using login/pwd or key exchange authentication.

Truly yours,

Philippe

> Le 2 avr. 2014 à 18:58, Alberto Gonzalez Iniesta <agi at inittab.org> a
> écrit :
> 
>> On Sat, Mar 29, 2014 at 10:53:09PM +0100, philou wrote:
>> Current regex in i.d.s/ssh doesn't match when using key exchange
>> authentication.
>> 
>> If not using key exchange authentication, the following log message
>> will be correctly ignored:
>> 
>> Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from
>> 192.0.2.60 port 20042 ssh2
>> 
>> When using key exchange authentication, the following log message
>> will NOT be ignored:
>> 
>> Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from
>> 192.0.2.60 port 60594 ssh2: RSA
>> e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c
> 
> Hi Philippe, 
> 
> Could you tell me which option are you using in order to get the
> latter message? That way I can reproduce it and fix the rule.
> 
> Thanks,
> 
> Alberto
> 
> -- 
> Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
> mailto/sip: agi at inittab.org | en GNU/Linux y software libre
> Encrypted mail preferred    | http://inittab.com
> 
> Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55