SSHd not logging Failed publickey attempts

debiandebian-squeezessh

On Debian Squeeze I have sshd set up to not permit password logins and require key based authentication.

I notice that when I attempt to log in from the WAN into my box with a bad SSH key, I do not get the "Failed publickey…." message in auth.log. I only get "Connection from…." logged and that's it.

When I log in from within my LAN to my box with a bad key, I do get "Failed publickey…." logged. I want to be able to log all failed publickey attempts to SSH.

Does anyone have any advice as to why it's not logging failed keys from the WAN?

Best Answer

I generally recommend increasing the default logging for sshd.The default loglevel is INFO, which gives you some minimal levels of information, but certainly not all. I recommend cranking that up to VERBOSE which will give you such events as the fingerprint of the key used for authentication, a log message when the user logs off, and should contain the failures that you're interested in.

Edit your /etc/ssh/sshd_config and find the setting for LogLevel. Change that such that it is

LogLevel VERBOSE

Then restart the sshd service.

/etc/pam.d/yubi-auth

auth    required pam_yubico.so mode=client try_first_pass id=<id> key=<key>

Note: you can obtain your access ID and secret key here

/etc/pam.d/sshd

# Standard Un*x authentication.
#@include common-auth

# Yubikey auth
@include yubi-auth

/etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication no
AuthenticationMethods publickey,password
PasswordAuthentication yes

service ssh restart

Verification

SSH from a remote host without a public key

root@0a6442bcb21c:/# ssh ben@192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is ea:2a:e3:98:35:72:66:b1:e0:65:6b:3f:60:8a:af:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts.
Permission denied (publickey).

SSH from a remote host with a public key

$ ssh ben@192.168.1.20
Authenticated with partial success.
ben@192.168.1.20's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64)

Improvement

It would be nice to see "Yubikey Auth:" instead of "password:" from the remote ssh server when authenticating.

What happens when the ssh server is unable to contact yubico's auth verification system? An ideal solution would be entirely self-contained.

Comments and suggestions appreciated.

Best Answer

Related Solutions

Sshd service fails to start

SSH Two-Factor auth (2FA) with a yubikey