![](https://seccdn.libravatar.org/avatar/c6ef89d28780332254029b8031000e36.jpg?s=120&d=mm&r=g)
Hi all! Is there a possibility to display failed logins during ssh-Login, like "FAILLOG_ENAB yes" in /etc/login.defs does for rlogin/telnet ?? Regards, Volker Weinberg ---------------------------------------------------------------------------- Volker Weinberg email: volker.weinberg@physik.uni-muenchen.de Dept.of Physics phone: Univ. of Munich at home: (089) 14 56 09 (Germany) at CIP: (089) 21 80-24 05 address: Andernacher Str. 17 80993 Muenchen ----------------------------------------------------------------------------
![](https://seccdn.libravatar.org/avatar/bbb8bbe88d3c0ebe19dc932cfa0b693c.jpg?s=120&d=mm&r=g)
Hi all!
Is there a possibility to display failed logins during ssh-Login, like "FAILLOG_ENAB yes" in /etc/login.defs does for rlogin/telnet ??
RedHat 7.0 by default does: Nov 13 04:35:10 server sshd[6635]: Failed password for seifried from 127.0.0.1 port 1023 ssh2 Nov 13 04:35:10 server last message repeated 2 times Nov 13 04:35:10 server sshd[6635]: Connection closed by 127.0.0.1 Here's the bit of my sshd_config: # Logging SyslogFacility AUTH LogLevel INFO You probably have a different logging level enabled that provides less info, also check syslog.conf for where the output is going.
Regards,
Volker Weinberg
-Kurt
![](https://seccdn.libravatar.org/avatar/901a8f30bbe3f1bd71b426bd8aa947fe.jpg?s=120&d=mm&r=g)
Quoting Kurt Seifried (listuser@seifried.org) on Mon, Nov 13, 2000 at 12:38:05PM +0100:
Is there a possibility to display failed logins during ssh-Login, like "FAILLOG_ENAB yes" in /etc/login.defs does for rlogin/telnet ??
RedHat 7.0 by default does:
Nov 13 04:35:10 server sshd[6635]: Failed password for seifried from 127.0.0.1 port 1023 ssh2
Me thinks he is refering to the message a user sees when logging in. Maybe UseLogin works, haven't tried it for a while. cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany May the Source be with you!
![](https://seccdn.libravatar.org/avatar/022f46012ab288680f10e2f3b98064c0.jpg?s=120&d=mm&r=g)
I think this is default behaviour for ssh, so I suppose SuSE's installation does this as well. I checked SuSE 6.4 for AXP, that logged ssh as well. I don't have any 7.0 machines with the default ssh, but I suppose this goes for them as well. Stefan On Mon, 13 Nov 2000, Kurt Seifried wrote:
Hi all!
Is there a possibility to display failed logins during ssh-Login, like "FAILLOG_ENAB yes" in /etc/login.defs does for rlogin/telnet ??
RedHat 7.0 by default does:
Nov 13 04:35:10 server sshd[6635]: Failed password for seifried from 127.0.0.1 port 1023 ssh2 Nov 13 04:35:10 server last message repeated 2 times Nov 13 04:35:10 server sshd[6635]: Connection closed by 127.0.0.1
Here's the bit of my sshd_config:
# Logging SyslogFacility AUTH LogLevel INFO
You probably have a different logging level enabled that provides less info, also check syslog.conf for where the output is going.
Regards,
Volker Weinberg
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (++31) 50 363 3423 / 8258 fax: (++31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl or : s.m.suurmeijer@rc.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quidquid id est, timeo Microsoftum et dona ferentis (Whatever it is, I fear Microsoft, even when they are bringing gifts) The hardware requirements were Windows 95 or better, so I installed Linux
![](https://seccdn.libravatar.org/avatar/c6ef89d28780332254029b8031000e36.jpg?s=120&d=mm&r=g)
Hi! Thank you to everybody who helped. What I actually want, is something like: wank login: weinberg Password: 1 failure since last login. Last was 11:43:51 on 7. , which I get with telnet/rlogin, but not with ssh. Logging under /var/log is not the problem. A quick look in sshd.c shows, that sshd itself does not read /var/log/faillog. if (!options.use_login && command == NULL && last_login_time != 0 && !quiet_login) { /* Convert the date to a string. */ time_string = ctime(&last_login_time); /* Remove the trailing newline. */ if (strchr(time_string, '\n')) *strchr(time_string, '\n') = 0; /* Display the last login time. Host if displayed if known. */ if (strcmp(buf, "") == 0) printf("Last login: %.100s\r\n", time_string); else printf("Last login: %.100s from %.200s\r\n", time_string, buf); } But sshd can call /bin/login: (UseLogin = yes in /etc/sshd_config) #ifdef USELOGIN else { execl(PATH_LOGIN, "login", "-h", remote_ip, "-p", "-f", "--", user_name, NULL); /* NOTREACHED */ } #endif /* USELOGIN */ I hoped, this will help, but still, I do not get the faillog during login. Regarding security, I think it would be a good idea to add /var/log/faillog support for sshd. Regards, Volker Weinberg
participants (4)
-
Andreas Siegert
-
Kurt Seifried
-
Stefan Suurmeijer
-
Volker Weinberg