Red Hat Bugzilla – Bug 39727
strange message in log
Last modified: 2007-04-18 12:33:08 EDT
The SSH prints strange message in /var/log/messages
May 8 17:08:49 imap1 sshd: Received disconnect from 188.8.131.52: 11:
The "11:^\u^R" is this OK, or some this is some garbage
which was put to the /var/log/messages because of a bug in sshd
The SSH version is:
rpm -q openssh
Depends on what kind of circumstance you got it in. It should contain the reason for disconnecting.
I've gotten e.g.:
May 9 09:17:07 xxx sshd: Received disconnect from aaa.bbb.1.97: 11: Disconnect requested by Windows SSH Client.
May 9 13:26:28 xxx sshd: Received disconnect from aaa.bbb.2.38: 13: Authentication cancelled by user.
I do not have a reason. Just some garbage printed instead:
Apr 30 12:02:11 xxx sshd: Received disconnect from 184.108.40.206: 11: XX^R
It is sililar to yours (11: there, but no error message, just some random
Also I tested this on two computers (both RedHat 7.0 will all updates).
In both log I have same error messages with random data printed
rpm -q openssh
I checked few logs the strings printed there may be:
The client is ssh 2.0.12 from DataFellows, seems some string from
the data went directly to log.
My logs show this happening once on a RHL62 system with 2.5.2p2. The connecting client is most probably
some old Windows one; Data Fellows might not be a bad bet.
The string there is printed from the packet by buffer_get_string function as intended. The client isn't just
recording anything sane in there. I suspect a client-side bug, but I don't see this very interesting issue unless
the client is acting so oddly that it hinders the normal use ;-)
I suggest resolving this as NOTABUG.
The only question I have: is this save to put a string read
from a client directly to log.
Should the string be escaped or something else done with it?
The string is limited to 400 characters, normal format string attack methods don't work with it, and NULL is added at the end of
it. It should be as safe as you can get.