[Logcheck-devel] Bug#743000: Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication
Philou
philou at philou.org
Thu Apr 3 23:19:07 UTC 2014
Hi Alberto,
You mean, which ssh option ? Default sshd configuration on the
server, it's just that, as i'm using key exchange authentication, some
text is appended at the end of the syslog message ": RSA
e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c", and as such the very
first regex of i.s.d/ssh won't match
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted
(gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased)
for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?$
As a temporary solution, I removed the "$" at the end of the regex, so
that it matches anything that comes after "ssh2". So it works whether
i'm using login/pwd or key exchange authentication.
Truly yours,
Philippe
> Le 2 avr. 2014 à 18:58, Alberto Gonzalez Iniesta <agi at inittab.org> a
> écrit :
>
>> On Sat, Mar 29, 2014 at 10:53:09PM +0100, philou wrote:
>> Current regex in i.d.s/ssh doesn't match when using key exchange
>> authentication.
>>
>> If not using key exchange authentication, the following log message
>> will be correctly ignored:
>>
>> Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from
>> 192.0.2.60 port 20042 ssh2
>>
>> When using key exchange authentication, the following log message
>> will NOT be ignored:
>>
>> Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from
>> 192.0.2.60 port 60594 ssh2: RSA
>> e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c
>
> Hi Philippe,
>
> Could you tell me which option are you using in order to get the
> latter message? That way I can reproduce it and fix the rule.
>
> Thanks,
>
> Alberto
>
> --
> Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
> mailto/sip: agi at inittab.org | en GNU/Linux y software libre
> Encrypted mail preferred | http://inittab.com
>
> Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
More information about the Logcheck-devel
mailing list