From owner-freebsd-questions@FreeBSD.ORG Sat Nov 15 01:04:03 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99AD0106568B for ; Sat, 15 Nov 2008 01:04:03 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from QMTA09.westchester.pa.mail.comcast.net (qmta09.westchester.pa.mail.comcast.net [76.96.62.96]) by mx1.freebsd.org (Postfix) with ESMTP id 31D0E8FC13 for ; Sat, 15 Nov 2008 01:04:02 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from OMTA07.westchester.pa.mail.comcast.net ([76.96.62.59]) by QMTA09.westchester.pa.mail.comcast.net with comcast id fCLF1a00b1GhbT859D41Xu; Sat, 15 Nov 2008 01:04:01 +0000 Received: from [10.0.1.200] ([76.122.47.225]) by OMTA07.westchester.pa.mail.comcast.net with comcast id fD401a00W4rWgJL3TD41jK; Sat, 15 Nov 2008 01:04:01 +0000 X-Authority-Analysis: v=1.0 c=1 a=nIGrfbA4o5QA:10 a=V-vVEhDXvN-C6KtkRuUA:9 a=EKnXe7JvsCaUyKiGMTHGIrfrCoIA:4 a=WuK_CZDBSqoA:10 Message-Id: <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> From: Tom Marchand To: freebsd-questions@freebsd.org In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Fri, 14 Nov 2008 20:04:00 -0500 References: X-Mailer: Apple Mail (2.929.2) Subject: Re: Question about entry in auth.log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2008 01:04:03 -0000 On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote: > Lisa Casey wrote: >> Hi, >> >> I run several FreeBSD servers. Today I noticed an entry in the >> auth.log >> on one of them that concerns me. The entry is this: >> >> Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam >> for >> michael from 89.123.165.3 po >> rt 55185 ssh2 >> >> There is a user michael on the system, but whoever was doing this was >> not him. >> >> I am assuming someone tried to break in using a valid username >> (michael) >> but with an incorrect password. So I just conducted an experiment >> to see >> if I could replicate that log entry using another valid username: >> mandy. >> I ssh'ed into the server, gave mandy as the username with an >> incorrect >> password. The auth.log entry for that attempt is this: >> >> Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from >> 72.155.127.223 port 51919 ssh2 >> >> and when I used something called keyboard interactive as the primary >> authentication method in my ssh client, I get this: >> >> sshd[96348]: error: PAM: authentication error for mandy from >> 72.155.127.223 >> >> Nothing about Accepted keyboard-interactive/pam. What does Accepted >> keyboard-interactive/pam mean? >> >> Also, in my ssh client, for authentication methods I have a choice of >> password, publickey or keyboard interactive. I've always used >> password, >> and never even noticed that keyboard interactive before. What is >> that? >> >> Thanks, >> >> Lisa Casey >> > Keyboard-interactive includes when the server sends requests such as > "Password:" to which the connector responds by typing their password. > This is different from entering the password in your client before > connecting. Example: > > $ ssh steve@thinkpad > steve@thinkpad's password: > > Try doing similar with the correct password and I bet you will see the > "Accepted/keyboard-interactive", it may be possible that michael's > password is no longer secure. > Or michael is vacationing in Romania.