From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 01:01:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA3511065680 for ; Sat, 15 Nov 2008 01:01:05 +0000 (UTC) (envelope-from stupendoussteve@hotmail.com) Received: from bay0-omc1-s41.bay0.hotmail.com (bay0-omc1-s41.bay0.hotmail.com [65.54.246.113]) by mx1.freebsd.org (Postfix) with ESMTP id 7BCC88FC0A for ; Sat, 15 Nov 2008 01:01:05 +0000 (UTC) (envelope-from stupendoussteve@hotmail.com) Received: from hotmail.com ([207.46.10.150]) by bay0-omc1-s41.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 14 Nov 2008 17:01:05 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 14 Nov 2008 17:01:05 -0800 Message-ID: Received: from 68.225.143.90 by BAY122-DAV12.phx.gbl with DAV; Sat, 15 Nov 2008 01:01:01 +0000 X-Originating-IP: [68.225.143.90] X-Originating-Email: [stupendoussteve@hotmail.com] X-Sender: stupendoussteve@hotmail.com Message-ID: <491E1F48.6070901@hotmail.com> Date: Fri, 14 Nov 2008 19:00:56 -0600 From: Steven Susbauer User-Agent: Thunderbird 2.0.0.17 (X11/20081106) MIME-Version: 1.0 To: Lisa Casey References: In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig310DB9E97495B752C374E13A" X-OriginalArrivalTime: 15 Nov 2008 01:01:05.0328 (UTC) FILETIME=[A2F1AB00:01C946BD] Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 01:01:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig310DB9E97495B752C374E13A Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Lisa Casey wrote: > Hi, >=20 > I run several FreeBSD servers. Today I noticed an entry in the auth.lo= g > on one of them that concerns me. The entry is this: >=20 > Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for= > michael from 89.123.165.3 po > rt 55185 ssh2 >=20 > There is a user michael on the system, but whoever was doing this was > not him. >=20 > I am assuming someone tried to break in using a valid username (michael= ) > but with an incorrect password. So I just conducted an experiment to se= e > if I could replicate that log entry using another valid username: mandy= =2E > I ssh'ed into the server, gave mandy as the username with an incorrect > password. The auth.log entry for that attempt is this: >=20 > Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from > 72.155.127.223 port 51919 ssh2 >=20 > and when I used something called keyboard interactive as the primary > authentication method in my ssh client, I get this: >=20 > sshd[96348]: error: PAM: authentication error for mandy from 72.155.127= =2E223 >=20 > Nothing about Accepted keyboard-interactive/pam. What does Accepted > keyboard-interactive/pam mean? >=20 > Also, in my ssh client, for authentication methods I have a choice of > password, publickey or keyboard interactive. I've always used password,= > and never even noticed that keyboard interactive before. What is that? >=20 > Thanks, >=20 > Lisa Casey >=20 Keyboard-interactive includes when the server sends requests such as "Password:" to which the connector responds by typing their password. This is different from entering the password in your client before connecting. Example: $ ssh steve@thinkpad steve@thinkpad's password: Try doing similar with the correct password and I bet you will see the "Accepted/keyboard-interactive", it may be possible that michael's password is no longer secure. --------------enig310DB9E97495B752C374E13A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkeH0sACgkQ2i3YYzbDt08I9wCbBTfguxsM5LQ/q6sC9dsyiwiX 3xYAoMi0xELbtiFhBkEcggQKFa44SXpB =Vigt -----END PGP SIGNATURE----- --------------enig310DB9E97495B752C374E13A--