Bug #16312
closed
``sshguard`` does not trigger for GUI logins from usernames containing unexpected characters
Added by Jim Pingle 6 months ago.
Updated 28 days ago.
Category:
User Manager / Privileges
Plus Target Version:
25.11
Description
We currently patch the sshguard port to match pfSense login messages like so:
.+": webConfigurator authentication error for user '"{WORD}"' from: " { return PFSENSE_AUTH_FAIL; }
However, sshguard defines WORD as:
WORD [a-zA-Z0-9][-_a-zA-Z0-9]+
As a consequence, if the username contains a character not in that list, such as a period (.) in a valid username like first.last, then sshguard would not trigger for a login failure message involving that account.
The login message format should be changed to use a different pattern such as .+, .*, or [^ ]
Files
- Blocks Bug #16314: GUI login events from usernames containing special characters or long strings can cause ambiguous or confusing log messages added
- Subject changed from sshguard does not trigger for username strings containing unexpected characters. to ``sshguard`` does not trigger for username strings containing unexpected characters
- Target version changed from 2.8.1 to 2.9.0
- Blocked by Regression #16313: sshguard patch files are not present in devel branches added
- Status changed from Confirmed to In Progress
- Status changed from In Progress to Feedback
- Assignee set to Jim Pingle
Need to test in the new builds once they're done and then check on what else is needed for #16314
- Blocked by deleted (Regression #16313: sshguard patch files are not present in devel branches)
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
Local patch with the format change for sshguard is present in builds now and working on 25.11.
CE and Plus dev branches have logging changes that make testing it tricky, but Marcos is working on fixing the log message format to make sure it matches. I ran a test with the expected log messages with several invalid username patterns and everything was flagged properly.
As this is a binary change, I have a combined patch for this and #16314 which removes non-word characters from the username before logging and that change is suitable for use on CE 2.8.1 and Plus 25.07.1, errors are properly flagged and logged.
The 16312_16314.patch patch file applies to Plus 25.07.1 and CE 2.8.1 and addresses this issue as well as #16314. It may apply on older versions, but I didn't test it back any farther than 25.07.1 and 2.8.1.
- Subject changed from ``sshguard`` does not trigger for username strings containing unexpected characters to ``sshguard`` does not trigger for WebGUI logins using username strings containing unexpected characters
- Subject changed from ``sshguard`` does not trigger for WebGUI logins using username strings containing unexpected characters to ``sshguard`` does not trigger for WebGUI logins from usernames containing unexpected characters
- Subject changed from ``sshguard`` does not trigger for WebGUI logins from usernames containing unexpected characters to ``sshguard`` does not trigger for GUI logins from usernames containing unexpected characters
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by