lazr.sshserver

codehosting ssh access log "failed to authenticate" does not include username

Bug #705050 reported by Andrew Bennetts
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lazr.sshserver
Triaged
Low
MAFIADEAL

Bug Description

The codehosting ssh daemon's access log is generally quite nice, but its "failed to authenticate" messages don't include the username. It would be nice to know the username so that we can know how many different users are failing to connect (or if it is the same user over and over), have more clues when debugging problems, etc.

See original description
Tags: easy
Revision history for this message
John A Meinel (jameinel) wrote :

I'm pretty sure this is a launchpad-side thing, not a bzr side thing. We might assign it to the bzr team if we decide to work on it.

affects: bzr → launchpad
Changed in launchpad:
status: New → Confirmed
Michael Hudson-Doyle (mwhudson)
description: updated
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

I think this might be a little tricky to achieve, sadly.

The failed to authenticate message is produced when the client disconnects without authenticating. Which usernames were presented is known by the "UserDetailsMind" object, which is attached to the SSHUserAuthServer object. So I guess we need to somehow record on the transport passed to SSHUserAuthServer.__init__ the usernames that have been recorded, and read them out again in lp.services.sshserver.service.Factory.connectionLost (maybe a WeakKeyDict mapping transports to lists of usernames?)

HTH!

Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 705050] Re: codehosting ssh access log "failed to authenticate" does not include username

On 19 January 2011 19:29, Michael Hudson-Doyle
<email address hidden> wrote:
> I think this might be a little tricky to achieve, sadly.
>
> The failed to authenticate message is produced when the client
> disconnects without authenticating.  Which usernames were presented is
> known by the "UserDetailsMind" object, which is attached to the
> SSHUserAuthServer object.  So I guess we need to somehow record on the
> transport passed to SSHUserAuthServer.__init__ the usernames that have
> been recorded, and read them out again in
> lp.services.sshserver.service.Factory.connectionLost (maybe a
> WeakKeyDict mapping transports to lists of usernames?)

Couldn't we just log them at the time the username is sent, and then
later log that the same client disconnected?

--
Martin

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

On Fri, 21 Jan 2011 00:08:30 -0000, Martin Pool <email address hidden> wrote:
> On 19 January 2011 19:29, Michael Hudson-Doyle
> <email address hidden> wrote:
> > I think this might be a little tricky to achieve, sadly.
> >
> > The failed to authenticate message is produced when the client
> > disconnects without authenticating.  Which usernames were presented is
> > known by the "UserDetailsMind" object, which is attached to the
> > SSHUserAuthServer object.  So I guess we need to somehow record on the
> > transport passed to SSHUserAuthServer.__init__ the usernames that have
> > been recorded, and read them out again in
> > lp.services.sshserver.service.Factory.connectionLost (maybe a
> > WeakKeyDict mapping transports to lists of usernames?)
>
> Couldn't we just log them at the time the username is sent, and then
> later log that the same client disconnected?

Yeah, that would be simpler. All log messages from the same connection
are identified already (id(transport) is part of the log message) so
this should be fairly easy.

Cheers,
mwh

Robert Collins (lifeless)
Changed in launchpad:
status: Confirmed → Triaged
importance: Undecided → High
Robert Collins (lifeless)
tags: added: east
Changed in launchpad:
importance: High → Low
Colin Watson (cjwatson)
tags: added: easy
removed: east
affects: launchpad → lazr.sshserver
MAFIADEAL (mafiadeal)
Changed in lazr.sshserver:
assignee: nobody → MAFIADEAL (mafiadeal)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.