[Logcheck-devel] Bug#400426: logcheck-database: ssh gssapi-keyex authentication method

Sun Nov 26 04:40:23 UTC 2006

Package: logcheck-database
Version: 1.2.51
Severity: minor
Tags: patch

ssh in etch now supports the gssapi-keyex authentication method, which
produces syslog messages like:

Nov 22 15:39:51 windlord sshd[30504]: Accepted gssapi-keyex for eagle from 171.66.157.13 port 2267 ssh2

Here's the obvious patch to filter these out.

--- /home/eagle/tmp/logcheck-1.2.51/rulefiles/linux/ignore.d.server/ssh	2006-11-13 07:09:23.000000000 -0800
+++ /etc/logcheck/ignore.d.server/ssh	2006-11-25 20:18:57.000000000 -0800
@@ -1,4 +1,4 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Postponed keyboard-interactive(/pam)? for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: PAM pam_putenv: delete non-existent entry; [[:alnum:]]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Server listening on [:[:xdigit:].]+ port [[:digit:]]+\.$

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.5.8      Debian configuration management sy

logcheck-database recommends no packages.

-- debconf information:
  logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:



