[Logcheck-devel] Bug#799304: logcheck-database: rule for sshd accepted key rule is obsolete
Rafael Laboissiere
rlabs.smtp at gmail.com
Thu Sep 17 17:54:13 UTC 2015
Package: logcheck-database
Version: 1.3.17
Severity: normal
The following rule in ignore.d.server/ssh:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted (gssapi(-with-mic|-keyex)?|rsa|dsa|password|publickey|keyboard-interactive/pam|hostbased) for [^[:space:]]+ from [^[:space:]]+ port [[:digit:]]+( (ssh|ssh2))?(: (RSA|ECDSA) ([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})?$
is not working with version 6.9 of openssh. Log entries in my system
are like this now:
Sep 16 10:35:04 rlaboiss sshd[17173]: Accepted publickey for xxxxxx from 000.000.000.000 port 000 ssh2: RSA SHA256:JZNBRCNIMW8ghcZp1zDcWRjWcJm5N/1hFkV8pVlDWXY
The problem is that the key hash at the end:
SHA256:JZNBRCNIMW8ghcZp1zDcWRjWcJm5N/1hFkV8pVlDWXY
does not match the end of the rule:
([[:xdigit:]]{2}:){15}[[:xdigit:]]{2})
Please, fix it.
Thanks,
Rafael Laboissiere
More information about the Logcheck-devel
mailing list