Date: Fri, 14 Nov 2008 20:04:00 -0500 From: Tom Marchand <m0rchand@comcast.net> To: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log Message-ID: <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> In-Reply-To: <BAY122-DAV1214B45821956EB1D7B782BA110@phx.gbl> References: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome> <BAY122-DAV1214B45821956EB1D7B782BA110@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 14, 2008, at 8:00 PM, Steven Susbauer wrote: > Lisa Casey wrote: >> Hi, >> >> I run several FreeBSD servers. Today I noticed an entry in the >> auth.log >> on one of them that concerns me. The entry is this: >> >> Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam >> for >> michael from 89.123.165.3 po >> rt 55185 ssh2 >> >> There is a user michael on the system, but whoever was doing this was >> not him. >> >> I am assuming someone tried to break in using a valid username >> (michael) >> but with an incorrect password. So I just conducted an experiment >> to see >> if I could replicate that log entry using another valid username: >> mandy. >> I ssh'ed into the server, gave mandy as the username with an >> incorrect >> password. The auth.log entry for that attempt is this: >> >> Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from >> 72.155.127.223 port 51919 ssh2 >> >> and when I used something called keyboard interactive as the primary >> authentication method in my ssh client, I get this: >> >> sshd[96348]: error: PAM: authentication error for mandy from >> 72.155.127.223 >> >> Nothing about Accepted keyboard-interactive/pam. What does Accepted >> keyboard-interactive/pam mean? >> >> Also, in my ssh client, for authentication methods I have a choice of >> password, publickey or keyboard interactive. I've always used >> password, >> and never even noticed that keyboard interactive before. What is >> that? >> >> Thanks, >> >> Lisa Casey >> > Keyboard-interactive includes when the server sends requests such as > "Password:" to which the connector responds by typing their password. > This is different from entering the password in your client before > connecting. Example: > > $ ssh steve@thinkpad > steve@thinkpad's password: > > Try doing similar with the correct password and I bet you will see the > "Accepted/keyboard-interactive", it may be possible that michael's > password is no longer secure. > Or michael is vacationing in Romania.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?692726B5-52B5-46AC-9C79-41553179AF36>