touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #134384
[Bug 1534340] Update Released
The verification of the Stable Release Update for openssh has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340
Title:
openssh server 6.6 does not report max auth failures
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Trusty:
Fix Committed
Bug description:
Brute force attacks against openssh on Trusty will not log "max auth"
key-based attempts, leaving their brute forcing invisible to the logs
and anything that consumes logs, like fail2ban. Version 6.7 introduced
the logging, but it's missing in Trusty. Since Trusty is LTS, it would
seem sensible to have this feature backported.
[Impact] Bruce force attempts using private keys are invisible to
logs, which renders defenses like fail2ban useless.
[Test case] Create 20 SSH keys, try to log in over SSH, note lack of
logging the failures.
[Regression Potential] Very unlikely regression potential as the "max
auth" condition is already handled in code, it just wasn't logging.
The change only adds the missing logging.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions
References