Question about entry in auth.log
Lisa Casey
lisa at jellico.com
Fri Nov 14 16:53:46 PST 2008
Hi,
I run several FreeBSD servers. Today I noticed an entry in the auth.log on
one of them that concerns me. The entry is this:
Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for
michael from 89.123.165.3 po
rt 55185 ssh2
There is a user michael on the system, but whoever was doing this was not
him.
I am assuming someone tried to break in using a valid username (michael) but
with an incorrect password. So I just conducted an experiment to see if I
could replicate that log entry using another valid username: mandy. I ssh'ed
into the server, gave mandy as the username with an incorrect password. The
auth.log entry for that attempt is this:
Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from
72.155.127.223 port 51919 ssh2
and when I used something called keyboard interactive as the primary
authentication method in my ssh client, I get this:
sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223
Nothing about Accepted keyboard-interactive/pam. What does Accepted
keyboard-interactive/pam mean?
Also, in my ssh client, for authentication methods I have a choice of
password, publickey or keyboard interactive. I've always used password, and
never even noticed that keyboard interactive before. What is that?
Thanks,
Lisa Casey
More information about the freebsd-questions
mailing list