Bug 200105 - logwatch reports illegal ssh users when ssh uses postponed publickey auth
Summary: logwatch reports illegal ssh users when ssh uses postponed publickey auth
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 5
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Marcela Mašláňová
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-25 14:53 UTC by long
Modified: 2007-11-30 22:11 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2006-08-15 11:18:35 UTC


Attachments (Terms of Use)

Description long 2006-07-25 14:53:12 UTC
Description of problem:
When I login via ssh to the machine in /var/log/secure it shows:

Jul 24 14:48:49 shibby sshd[25585]: Postponed publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 14:48:49 shibby sshd[25585]: Accepted publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 09:48:49 shibby sshd[25584]: Accepted publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 09:48:49 shibby sshd[25586]: pam_unix(sshd:session): session opened for
user long by (uid=0)

(Notice the times are all goofy too.)  When logwatch runs the next day I get
this in its report:

--------------------- SSHD Begin ------------------------ 

 
 Illegal users from:
    129.237.21.103 (griffon.cc.ku.edu): 2 times
 
 Postponed authentication:
    long/publickey:
       129.237.21.103: 2 Time(s)
 
 Users logging in through sshd:
    long:
       129.237.21.103 (griffon.cc.ku.edu): 4 times
 
 ---------------------- SSHD End ------------------------- 

(I did login several other times that day.)

Version-Release number of selected component (if applicable):
logwatch-7.2.1-1.fc5

How reproducible:
always

Steps to Reproduce:
1. configure ssh publickey authentication
2. login to the core 5 machine using ssh publickey auth
3.
  
Actual results:
 Illegal users from:
    XXX.XXX.XXX.XXX (griffon.cc.ku.edu): 2 times

Expected results:
 No output for "illegal users"

Additional info:


Note You need to log in before you can comment on or make changes to this bug.