Ssh – Mac OS X Server Secure Log full of failed SSH attempts

kerberoslog-filesmacSecurityssh

Whenever one of our server's admins tries to access our machine running Mac OS X Server 10.5 via SSH, I get the following error exactly every 10 seconds in the security log:

sshd[32575]: /etc/sshd_config line 70: Unsupported option KerberosGetAFSToken

sshd[32575]: error: PAM: Authentication failure for (username) from 129.1.95.241

sshd[32575]: Failed keyboard-interactive/pam for (username) from 129.1.95.241

The user is able to log in and work as normal, but this error is dominating the log file. At first we discovered he had a left-over public ssh key on his system, but even after deleting that the error persists. The error keeps appearing every 10 seconds, even when the user is no longer logged into the server!

Has anyone seen this issue before? How can these errors be generated from the same IP even when that machine does not have an open connection to the server? Where else should I look?

Thanks very much for your help!

Best Answer

Sounds like some rogue script that runs on 129.1.95.241 and tries to log in. I'd have a look at that host directly.

Or if it's not under your control block it with the firewall. If it indeed is needed than somebody will come screaming at you at you'll have the option to "repair" this. If you have a contact for the server probably drop a mail with some deadline to give a warning.

Related Solutions

SSHD – blocking password authentication

AFAIK using PasswordAuthentication the client prompts for your username and password and then sends both to the server. In keyboard-interactive the client asks for your username, sends it to the server and then the server responds back with a password prompt which is in turn relayed back via the client to you.

The whole thing has been done to be able to implement further security measures to make sure you (the user) actually interactively types the password and it is not stored in some way and then only entered.

Ubuntu SSH Login – Permission Denied, Please Try Again

Are you certain that the user account you're attempting to access is correctly configured? If you log in as root on the system, can you su to the user account?

# su - username

What do you see in your logs after a failed connection attempt? On many systems, sshd will log to something /var/log/secure or /var/log/auth.log. Also, I note that you have PasswordAuthentication enabled but ChallengeResponseAuthentication disabled. Do you see the same behavior if you enable ChallengeResponseAuthentication?

Here are some general diagnostic steps to use when you have ssh problems:

Enable verbose diagnostics in ssh:
```
ssh -v host.example.com
```
This will cause the client to output a variety of diagnostic messages as it negotiates the connection. This will often provide a clue to the problem.
Run the server in debug mode.

On your server, stop sshd, then run it from the command line like this:
```
/usr/sbin/sshd -d
```
This will produce verbose debug logging on stderr that will very often contain useful information.

If neither of these helps you figure out what's going on, would you add the output to your question?

Best Answer

Related Solutions

SSHD – blocking password authentication

Ubuntu SSH Login – Permission Denied, Please Try Again

Related Topic