[Logcheck-devel] Bug#743000: logcheck: i.d.s/ssh regex doesn't match when using key exchange authentication

[philou]

Package: logcheck
Version: 1.3.16
Severity: normal

Dear Maintainer,

Current regex in i.d.s/ssh doesn't match when using key exchange authentication.

If not using key exchange authentication, the following log message will be correctly ignored:

Jan 28 11:52:05 server sshd[1003]: Accepted publickey for fred from 192.0.2.60 port 20042 ssh2

When using key exchange authentication, the following log message will NOT be ignored:

Jan 28 11:51:43 server sshd[5104]: Accepted publickey for fred from 192.0.2.60 port 60594 ssh2: RSA e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c

The regex is:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?$

and will not match the key fingerprint.

Truly yours,

Philippe

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.12-1-486
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages logcheck depends on:
ii  adduser                             3.113+nmu3
ii  cron                                3.0pl1-124
pn  default-mta | mail-transport-agent  <none>
ii  lockfile-progs                      0.1.17
ii  logtail                             1.3.16
ii  mime-construct                      1.11
ii  rsyslog [system-log-daemon]         7.6.3-1

Versions of packages logcheck recommends:
ii  logcheck-database  1.3.16

Versions of packages logcheck suggests:
pn  syslog-summary  <none>

-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied: u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: u'/etc/logcheck/logcheck.logfiles'

-- no debconf information