Date: Fri, 14 Nov 2008 19:41:16 -0500 From: "Lisa Casey" <lisa@jellico.com> To: <freebsd-questions@freebsd.org> Subject: Question about entry in auth.log Message-ID: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome>
next in thread | raw e-mail | index | archive | help
Hi, I run several FreeBSD servers. Today I noticed an entry in the auth.log on one of them that concerns me. The entry is this: Nov 12 15:44:29 mail sshd[30160]: Accepted keyboard-interactive/pam for michael from 89.123.165.3 po rt 55185 ssh2 There is a user michael on the system, but whoever was doing this was not him. I am assuming someone tried to break in using a valid username (michael) but with an incorrect password. So I just conducted an experiment to see if I could replicate that log entry using another valid username: mandy. I ssh'ed into the server, gave mandy as the username with an incorrect password. The auth.log entry for that attempt is this: Nov 14 19:44:54 mail sshd[96194]: Failed password for mandy from 72.155.127.223 port 51919 ssh2 and when I used something called keyboard interactive as the primary authentication method in my ssh client, I get this: sshd[96348]: error: PAM: authentication error for mandy from 72.155.127.223 Nothing about Accepted keyboard-interactive/pam. What does Accepted keyboard-interactive/pam mean? Also, in my ssh client, for authentication methods I have a choice of password, publickey or keyboard interactive. I've always used password, and never even noticed that keyboard interactive before. What is that? Thanks, Lisa Casey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B8B09B39A8884900970CF2434D40F6C4>