Bug 200105 - logwatch reports illegal ssh users when ssh uses postponed publickey auth
logwatch reports illegal ssh users when ssh uses postponed publickey auth
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-25 10:53 EDT by long
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-15 07:18:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description long 2006-07-25 10:53:12 EDT
Description of problem:
When I login via ssh to the machine in /var/log/secure it shows:

Jul 24 14:48:49 shibby sshd[25585]: Postponed publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 14:48:49 shibby sshd[25585]: Accepted publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 09:48:49 shibby sshd[25584]: Accepted publickey for long from
XXX.XXX.XXX.XXX port 49609 ssh2
Jul 24 09:48:49 shibby sshd[25586]: pam_unix(sshd:session): session opened for
user long by (uid=0)

(Notice the times are all goofy too.)  When logwatch runs the next day I get
this in its report:

--------------------- SSHD Begin ------------------------ 

 
 Illegal users from:
    129.237.21.103 (griffon.cc.ku.edu): 2 times
 
 Postponed authentication:
    long/publickey:
       129.237.21.103: 2 Time(s)
 
 Users logging in through sshd:
    long:
       129.237.21.103 (griffon.cc.ku.edu): 4 times
 
 ---------------------- SSHD End ------------------------- 

(I did login several other times that day.)

Version-Release number of selected component (if applicable):
logwatch-7.2.1-1.fc5

How reproducible:
always

Steps to Reproduce:
1. configure ssh publickey authentication
2. login to the core 5 machine using ssh publickey auth
3.
  
Actual results:
 Illegal users from:
    XXX.XXX.XXX.XXX (griffon.cc.ku.edu): 2 times

Expected results:
 No output for "illegal users"

Additional info:

Note You need to log in before you can comment on or make changes to this bug.