Bug #13574
closedExtra remote address information can confuse ``sshguard``
100%
Description
The authentication system attempts to be informative and print extra information along with IP addresses to completely identify where a user logs in from. This includes the authentication source (e.g. local database, LDAP or RADIUS, auth server name), contents of proxy headers such as X-Forwarded-For
or Client-IP
to further clarify exactly where a user is located.
This extra information is printed after the IP address of the remote user in various places, including log messages for authentication.
The extra information confuses the sshguard
parser and it fails to recognize the client IP address in authentication error messages, so the protection may not be enforced depending on the content of the request headers.
While this extra information can be helpful, it isn't relevant for authentication failures since (a) the auth source is unknown/undefined as it failed every attempt and (b) since the login failed the rest of the headers shouldn't be trusted anyhow. Thus, we can safely remove it from the error messages.
Updated by Jim Pingle about 2 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 9633ec324eada0b870962d3682d264be577edc66.
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to Resolved
The extra information is no longer printed in the log, and sshguard properly recognizes the failed attempts even when the client provides the X-Forwarded-For
or Client-IP
headers.