Package: ssh
Severity: normal
If atatckers attempt to log in using invalid users/passwords then sshd
adds a line to that effect to the log. But if they are using public
keys that are not allowed then nothing is added.
This means that if a system is still allowing "vulnerable" keys then
an attacker can brute-force a login by trying all such in turn, and
the sysadmin will never notice this even if they review their logs.
Packages like fail2ban and denyhosts rely on the log file contianing
details of unsucessful login attempts.
#75043 is related.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.29-xen
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
--
To UNSUBSCRIBE, email to
debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact
listmaster@...
