Re: com.jcraft.jsch.JSchException: Auth fail

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 14 Sep 2016, Christian Kujau wrote:

> Hi,
> 
> I've come across some messages from sshd (OpenSSH 6.7) in my auth.log that 
> I hadn't noticed before:
> 
>  sshd[32008]: error: Received disconnect from x.x.x.x: 3: \
>      com.jcraft.jsch.JSchException: Auth fail [preauth]
> 
> I was kinda puzzled why sshd would emit some JCraft[0] messages and the 
> best explanation I found was this Serverfault[1] answer, quoting a snippet 
> from packet.c:1965 and adding:

It's logging the reason the client gave for disconnecting.

>  > It looks like openssh server passes through the last message from the 
>  > client in its "Received disconnect" error message, so it appears that 
>  > this is a zombie login attempt from a botnet that is authored in Java.
> 
> So, while this explains the log message, I'm wondering if there are some 
> security implications in "passing messages from the client through the 
> server and into the auth.log", i.e. could this be exploited somehow or is 
> the function handling these strings in packet.c "strong" enough not to 
> pass through or interpret malign strings?

I'm not seeing a problem here. It's logging a string, and we escape any
non-ASCII characters in log.c. If anything it's probably too strict
(wrt escaping valid UTF-8 from logs on systems that support it).

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux