[Logcheck-devel] Bug#743000: Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication

Alberto Gonzalez Iniesta agi at inittab.org
Fri Apr 4 07:51:57 UTC 2014 

On Fri, Apr 04, 2014 at 01:19:07AM +0200, Philou wrote:
> Hi Alberto,
> 
> You mean, which ssh option ? Default sshd configuration on the
> server, it's just that, as i'm using key exchange authentication, some
> text is appended at the end of the syslog message ": RSA
> e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c", and as such the very
> first regex of i.s.d/ssh won't match

Hi!

I thought you were using some option in order to get the key fingerprint
in the logs, since none of my systems did that. Now I was able to
reproduce it. Thanks, this will be fixed.

Regards,

Alberto



> 
> > Le 2 avr. 2014 à 18:58, Alberto Gonzalez Iniesta <agi at inittab.org> a
> > écrit :
> > 
> >> On Sat, Mar 29, 2014 at 10:53:09PM +0100, philou wrote:
> >> Current regex in i.d.s/ssh doesn't match when using key exchange
> >> authentication.
> >> 
> >> If not using key exchange authentication, the following log message
> >> will be correctly ignored:
> >> 
> >> Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from
> >> 192.0.2.60 port 20042 ssh2
> >> 
> >> When using key exchange authentication, the following log message
> >> will NOT be ignored:
> >> 
> >> Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from
> >> 192.0.2.60 port 60594 ssh2: RSA
> >> e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c
> > 
> > Hi Philippe, 
> > 
> > Could you tell me which option are you using in order to get the
> > latter message? That way I can reproduce it and fix the rule.
> > 
> > Thanks,
> > 
> > Alberto
> > 
> > -- 
> > Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
> > mailto/sip: agi at inittab.org | en GNU/Linux y software libre
> > Encrypted mail preferred    | http://inittab.com
> > 
> > Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi at inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

More information about the Logcheck-devel mailing list