Bug #16312
closed
``sshguard`` does not trigger for GUI logins from usernames containing unexpected characters
100%
Description
We currently patch the sshguard port to match pfSense login messages like so:
.+": webConfigurator authentication error for user '"{WORD}"' from: " { return PFSENSE_AUTH_FAIL; }
However, sshguard defines WORD as:
WORD [a-zA-Z0-9][-_a-zA-Z0-9]+
As a consequence, if the username contains a character not in that list, such as a period (.) in a valid username like first.last, then sshguard would not trigger for a login failure message involving that account.
The login message format should be changed to use a different pattern such as .+, .*, or [^ ]
Files
Related issues
Updated by Jim Pingle 6 months ago
- Blocks Bug #16314: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages added
Updated by Jim Pingle 5 months ago
- Subject changed from sshguard does not trigger for username strings containing unexpected characters. to ``sshguard`` does not trigger for username strings containing unexpected characters
- Target version changed from 2.8.1 to 2.9.0
Updated by Jim Pingle 5 months ago
- Blocked by Regression #16313: sshguard patch files are not present in devel branches added
Updated by Jim Pingle about 2 months ago
- Status changed from Confirmed to In Progress
Upstream commit fix: https://github.com/SSHGuard/sshguard/commit/2295182adab901c6808182659a3de59dd012d895
Manually pulled in until they release a new version: https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/fd34c8bf45d67492e58be693826de28d352f1319
Updated by Jim Pingle about 2 months ago
- Status changed from In Progress to Feedback
- Assignee set to Jim Pingle
Need to test in the new builds once they're done and then check on what else is needed for #16314
Updated by Jim Pingle about 2 months ago
- Blocked by deleted (Regression #16313: sshguard patch files are not present in devel branches)
Updated by Jim Pingle about 2 months ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
Local patch with the format change for sshguard is present in builds now and working on 25.11.
CE and Plus dev branches have logging changes that make testing it tricky, but Marcos is working on fixing the log message format to make sure it matches. I ran a test with the expected log messages with several invalid username patterns and everything was flagged properly.
As this is a binary change, I have a combined patch for this and #16314 which removes non-word characters from the username before logging and that change is suitable for use on CE 2.8.1 and Plus 25.07.1, errors are properly flagged and logged.
Updated by Jim Pingle about 2 months ago
The 16312_16314.patch patch file applies to Plus 25.07.1 and CE 2.8.1 and addresses this issue as well as #16314. It may apply on older versions, but I didn't test it back any farther than 25.07.1 and 2.8.1.
Updated by Jim Pingle about 2 months ago
- File 16312_16314.patch 16312_16314.patch added
Updated by Jim Pingle about 2 months ago
- Subject changed from ``sshguard`` does not trigger for username strings containing unexpected characters to ``sshguard`` does not trigger for WebGUI logins using username strings containing unexpected characters
Updated by Jim Pingle about 2 months ago
- Subject changed from ``sshguard`` does not trigger for WebGUI logins using username strings containing unexpected characters to ``sshguard`` does not trigger for WebGUI logins from usernames containing unexpected characters
Updated by Jim Pingle about 2 months ago
- Subject changed from ``sshguard`` does not trigger for WebGUI logins from usernames containing unexpected characters to ``sshguard`` does not trigger for GUI logins from usernames containing unexpected characters