touch-packages team mailing list archive

Thread
Date

[Bug 1534340] Re: openssh server 6.6 does not report max auth failures

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Wed, 27 Jan 2016 01:32:43 -0000
Reply-to: Bug 1534340 <1534340@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello Kees, or anyone else affected,

Accepted openssh into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.6 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340

Title:
  openssh server 6.6 does not report max auth failures

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Committed

Bug description:
  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.

  [Impact] Bruce force attempts using private keys are invisible to
  logs, which renders defenses like fail2ban useless.

  [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
  logging the failures.

  [Regression Potential] Very unlikely regression potential as the "max
  auth" condition is already handled in code, it just wasn't logging.
  The change only adds the missing logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions

References

[Bug 1534340] [NEW] openssh server 6.6 does not report max auth failures
From: Kees Cook, 2016-01-14