From nobody@FreeBSD.ORG Tue Nov 16 17:45:22 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 718E814FB4; Tue, 16 Nov 1999 17:45:08 -0800 (PST)
Message-Id: <19991117014508.718E814FB4@hub.freebsd.org>
Date: Tue, 16 Nov 1999 17:45:08 -0800 (PST)
From: mike@sentex.net
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: Simple patch to log password attempts on ssh connections
X-Send-Pr-Version: www-1.0

>Number:         14933
>Category:       ports
>Synopsis:       Simple patch to log password attempts on ssh connections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    imp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 16 17:50:01 PST 1999
>Closed-Date:    Mon Jun 4 21:04:45 MDT 2001
>Last-Modified:  Mon Jun 04 21:04:56 MDT 2001
>Originator:     Mike Tancsa
>Release:        FreeBSD
>Organization:
Sentex Communications
>Environment:
FreeBSD 3.3-STABLE #0: Mon Nov  8 09:15:21 EST 1999
>Description:
The following patch will log to syslog password attempts when connecting via SSH.  Currently, an attacker can guess all they want, with out any real auditing.
>How-To-Repeat:
slogin example.com
>Fix:
*** sshd.c.orig2        Tue Nov 16 13:59:12 1999
--- work/ssh-1.2.27/sshd.c      Tue Nov 16 13:59:48 1999
***************
*** 2673,2678 ****
--- 2673,2679 ----
                break;
              }
            debug("Password authentication for %.100s failed.", user);
+           log_msg("Password LOGIN FAILURE for user: %.100s from: %.100s", user,get_canonical_hostname());
            memset(password, 0, strlen(password));
            xfree(password);
            break;

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Wed Nov 17 00:35:00 MST 1999 
Responsible-Changed-Why:  
I told mike to file this PR and that I'd look into it.  So that's what 
I'm doing. 
State-Changed-From-To: open->feedback 
State-Changed-By: will 
State-Changed-When: Sat Apr 22 17:31:33 PDT 2000 
State-Changed-Why:  
What's the status on this (seemingly simple) patch? It seems that it's a useful 
patch, but not every system admin will want to see this message, so perhaps an 
addition to the config file and/or a runtime command line option is appropriate. 
Thoughts, comments, code? :-) 

From: Konstantinos Konstantinidis <kkonstan@duth.gr>
To: freebsd-gnats-submit@FreeBSD.org, mike@sentex.net,
	freebsd-ports@FreeBSD.org
Cc:  
Subject: Re: ports/14933: Simple patch to log password attempts on ssh 
 connections
Date: Tue, 05 Jun 2001 02:48:15 +0300

 Since security/ssh is deprecated, forbidden, and soon to be removed,
 I suppose this old PR should be closed.
 
 --kkonstan
State-Changed-From-To: feedback->closed 
State-Changed-By: imp 
State-Changed-When: Mon Jun 4 21:04:45 MDT 2001 
State-Changed-Why:  
OBE. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=14933 
>Unformatted:
