Project

General

Profile

Actions

Bug #13574

closed

Extra remote address information can confuse ``sshguard``

Added by Jim Pingle about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

The authentication system attempts to be informative and print extra information along with IP addresses to completely identify where a user logs in from. This includes the authentication source (e.g. local database, LDAP or RADIUS, auth server name), contents of proxy headers such as X-Forwarded-For or Client-IP to further clarify exactly where a user is located.

This extra information is printed after the IP address of the remote user in various places, including log messages for authentication.

The extra information confuses the sshguard parser and it fails to recognize the client IP address in authentication error messages, so the protection may not be enforced depending on the content of the request headers.

While this extra information can be helpful, it isn't relevant for authentication failures since (a) the auth source is unknown/undefined as it failed every attempt and (b) since the login failed the rest of the headers shouldn't be trusted anyhow. Thus, we can safely remove it from the error messages.

Actions #1

Updated by Jim Pingle about 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

The extra information is no longer printed in the log, and sshguard properly recognizes the failed attempts even when the client provides the X-Forwarded-For or Client-IP headers.

Actions #3

Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF