From owner-freebsd-questions@FreeBSD.ORG  Sat Nov 15 00:53:46 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C4871065678
	for <freebsd-questions@freebsd.org>;
	Sat, 15 Nov 2008 00:53:46 +0000 (UTC)
	(envelope-from lisa@jellico.com)
Received: from mail.jellico.com (mail.jellico.com [207.191.185.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 0A9A88FC08
	for <freebsd-questions@freebsd.org>;
	Sat, 15 Nov 2008 00:53:45 +0000 (UTC)
	(envelope-from lisa@jellico.com)
Received: from CaseyHome (adsl-155-127-223.tys.bellsouth.net [72.155.127.223])
	(authenticated bits=0)
	by mail.jellico.com (8.13.1/8.13.1) with ESMTP id mAF0qVXD096825
	for <freebsd-questions@freebsd.org>;
	Fri, 14 Nov 2008 19:52:32 -0500 (EST)
	(envelope-from lisa@jellico.com)
Message-ID: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome>
From: "Lisa Casey" <lisa@jellico.com>
To: <freebsd-questions@freebsd.org>
Date: Fri, 14 Nov 2008 19:41:16 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam-Score: () 
X-Scanned-By: MIMEDefang 2.61 on 207.191.185.6
Subject: Question about entry in auth.log
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2008 00:53:46 -0000

Hi,

I run several FreeBSD servers. Today I noticed  an entry in the auth.log on 
one of them that concerns me. The entry is this:

Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for 
michael from 89.123.165.3 po
rt 55185 ssh2

There is a user michael on the system, but whoever was doing this was not 
him.

I am assuming someone tried to break in using a valid username (michael) but 
with an incorrect password. So I just conducted an experiment to see if I 
could replicate that log entry using another valid username: mandy. I ssh'ed 
into the server, gave mandy as the username with an incorrect password. The 
auth.log entry for that attempt is this:

Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 
72.155.127.223 port 51919 ssh2

and when I used something called keyboard interactive as the primary 
authentication method in my ssh client, I get this:

sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223

Nothing about Accepted keyboard-interactive/pam.  What does Accepted 
keyboard-interactive/pam mean?

Also, in my ssh client, for authentication methods I have a choice of 
password, publickey or keyboard interactive. I've always used password, and 
never even noticed that keyboard interactive before. What is that?

Thanks,

Lisa Casey