Question about entry in auth.log
Tom Marchand
m0rchand at comcast.net
Fri Nov 14 17:04:03 PST 2008
On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote:
> Lisa Casey wrote:
>> Hi,
>>
>> I run several FreeBSD servers. Today I noticed an entry in the
>> auth.log
>> on one of them that concerns me. The entry is this:
>>
>> Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam
>> for
>> michael from 89.123.165.3 po
>> rt 55185 ssh2
>>
>> There is a user michael on the system, but whoever was doing this was
>> not him.
>>
>> I am assuming someone tried to break in using a valid username
>> (michael)
>> but with an incorrect password. So I just conducted an experiment
>> to see
>> if I could replicate that log entry using another valid username:
>> mandy.
>> I ssh'ed into the server, gave mandy as the username with an
>> incorrect
>> password. The auth.log entry for that attempt is this:
>>
>> Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from
>> 72.155.127.223 port 51919 ssh2
>>
>> and when I used something called keyboard interactive as the primary
>> authentication method in my ssh client, I get this:
>>
>> sshd[96348]: error: PAM: authentication error for mandy from
>> 72.155.127.223
>>
>> Nothing about Accepted keyboard-interactive/pam. What does Accepted
>> keyboard-interactive/pam mean?
>>
>> Also, in my ssh client, for authentication methods I have a choice of
>> password, publickey or keyboard interactive. I've always used
>> password,
>> and never even noticed that keyboard interactive before. What is
>> that?
>>
>> Thanks,
>>
>> Lisa Casey
>>
> Keyboard-interactive includes when the server sends requests such as
> "Password:" to which the connector responds by typing their password.
> This is different from entering the password in your client before
> connecting. Example:
>
> $ ssh steve at thinkpad
> steve at thinkpad's password:
>
> Try doing similar with the correct password and I bet you will see the
> "Accepted/keyboard-interactive", it may be possible that michael's
> password is no longer secure.
>
Or michael is vacationing in Romania.
More information about the freebsd-questions
mailing list