openssh server 6.6 does not report max auth failures

Bug #1534340 reported by Kees Cook on 2016-01-14
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Medium
Unassigned
Trusty
Medium
Kees Cook

Bug Description

Brute force attacks against openssh on Trusty will not log "max auth" key-based attempts, leaving their brute forcing invisible to the logs and anything that consumes logs, like fail2ban. Version 6.7 introduced the logging, but it's missing in Trusty. Since Trusty is LTS, it would seem sensible to have this feature backported.

[Impact] Bruce force attempts using private keys are invisible to logs, which renders defenses like fail2ban useless.

[Test case] Create 20 SSH keys, try to log in over SSH, note lack of logging the failures.

[Regression Potential] Very unlikely regression potential as the "max auth" condition is already handled in code, it just wasn't logging. The change only adds the missing logging.

Kees Cook (kees) on 2016-01-14
Changed in openssh (Ubuntu):
status: New → Fix Released
Changed in openssh (Ubuntu Trusty):
assignee: nobody → Kees Cook (kees)
Kees Cook (kees) wrote :
description: updated
Kees Cook (kees) on 2016-01-14
Changed in openssh (Ubuntu Trusty):
status: New → In Progress

Hello Kees, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openssh (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Simon Déziel (sdeziel) wrote :

Works well, thank you!

tags: added: verification-done
removed: verification-needed
Steve Langasek (vorlon) wrote :

Hello Kees, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Steve Langasek (vorlon) wrote :

This SRU collided mid-air with another update that was needed. Given the 7-day baking period for SRUs, we've stacked the two SRUs rather than waiting for this one to clear. But no re-verification is needed, as the delta for the new SRU doesn't change any related code.

The verification of the Stable Release Update for openssh has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.6

---------------
openssh (1:6.6p1-2ubuntu2.6) trusty; urgency=medium

  * debian/control, debian/rules: enable libaudit support. (LP: #1478087)

openssh (1:6.6p1-2ubuntu2.5) trusty-proposed; urgency=medium

  * Backport upstream reporting of max auth attempts, so that fail2bail
    and similar tools can learn the IP address of brute forcers.
    (LP: #1534340)
    - debian/patches/report-max-auth.patch

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jan 2016 10:38:35 -0500

Changed in openssh (Ubuntu Trusty):
status: Fix Committed → Fix Released
Changed in openssh (Ubuntu):
importance: Undecided → Medium
Changed in openssh (Ubuntu Trusty):
importance: Undecided → Medium
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers