codehosting ssh access log "failed to authenticate" does not include username

Bug #705050 reported by Andrew Bennetts on 2011-01-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lazr.sshserver
Low
Unassigned

Bug Description

The codehosting ssh daemon's access log is generally quite nice, but its "failed to authenticate" messages don't include the username. It would be nice to know the username so that we can know how many different users are failing to connect (or if it is the same user over and over), have more clues when debugging problems, etc.

John A Meinel (jameinel) wrote :

I'm pretty sure this is a launchpad-side thing, not a bzr side thing. We might assign it to the bzr team if we decide to work on it.

affects: bzr → launchpad
Changed in launchpad:
status: New → Confirmed
description: updated
Michael Hudson-Doyle (mwhudson) wrote :

I think this might be a little tricky to achieve, sadly.

The failed to authenticate message is produced when the client disconnects without authenticating. Which usernames were presented is known by the "UserDetailsMind" object, which is attached to the SSHUserAuthServer object. So I guess we need to somehow record on the transport passed to SSHUserAuthServer.__init__ the usernames that have been recorded, and read them out again in lp.services.sshserver.service.Factory.connectionLost (maybe a WeakKeyDict mapping transports to lists of usernames?)

HTH!

On 19 January 2011 19:29, Michael Hudson-Doyle
<email address hidden> wrote:
> I think this might be a little tricky to achieve, sadly.
>
> The failed to authenticate message is produced when the client
> disconnects without authenticating.  Which usernames were presented is
> known by the "UserDetailsMind" object, which is attached to the
> SSHUserAuthServer object.  So I guess we need to somehow record on the
> transport passed to SSHUserAuthServer.__init__ the usernames that have
> been recorded, and read them out again in
> lp.services.sshserver.service.Factory.connectionLost (maybe a
> WeakKeyDict mapping transports to lists of usernames?)

Couldn't we just log them at the time the username is sent, and then
later log that the same client disconnected?

--
Martin

Michael Hudson-Doyle (mwhudson) wrote :

On Fri, 21 Jan 2011 00:08:30 -0000, Martin Pool <email address hidden> wrote:
> On 19 January 2011 19:29, Michael Hudson-Doyle
> <email address hidden> wrote:
> > I think this might be a little tricky to achieve, sadly.
> >
> > The failed to authenticate message is produced when the client
> > disconnects without authenticating.  Which usernames were presented is
> > known by the "UserDetailsMind" object, which is attached to the
> > SSHUserAuthServer object.  So I guess we need to somehow record on the
> > transport passed to SSHUserAuthServer.__init__ the usernames that have
> > been recorded, and read them out again in
> > lp.services.sshserver.service.Factory.connectionLost (maybe a
> > WeakKeyDict mapping transports to lists of usernames?)
>
> Couldn't we just log them at the time the username is sent, and then
> later log that the same client disconnected?

Yeah, that would be simpler. All log messages from the same connection
are identified already (id(transport) is part of the log message) so
this should be fairly easy.

Cheers,
mwh

Changed in launchpad:
status: Confirmed → Triaged
importance: Undecided → High
tags: added: east
Changed in launchpad:
importance: High → Low
Colin Watson (cjwatson) on 2015-01-14
tags: added: easy
removed: east
affects: launchpad → lazr.sshserver
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers