SSH

Secure Shell or SSH is the process that offers secure, trusted connection to a restricted shell on the SafeNet Luna Network HSM appliance for administrative purposes.

Facility Keyword

Software Process

Log File

Authpriv

sshd[pid]

secure

This version of Syslog and SNMP Monitoring Guide shows some examples of log messages you might find for SSH but is not a comprehensive account of all possible messages.

>Expected Log Messages

>Unexpected Log Messages

Expected Log Messages

2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Server listening on 0.0.0.0 port 22.
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received signal 15; terminating.
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Accepted password for <user name> from 192.168.10.100 port 51286 ssh2
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received disconnect from 192.168.10.100: 11: disconnected by user
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Did not receive identification string from 192.168.0.100
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received disconnect from 192.168.0.100: 11: The user disconnected the application
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Accepted publickey for <admin | monitor> from 192.168.0.100 port 2299 ssh2
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: pam_unix(ssdh[1234]:session): session opened for user admin by (uid=0)
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: pam_unix(ssdh[1234]:session): session closed for user admin
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received disconnect from 192.168.0.100: 2: disconnected by server request
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Connection closed by 192.168.0.100 [preauth]

These messages indicate normal SSH activity. <user name> is “admin”, “operator”, “monitor”, “audit” or a customer-defined name.

Unexpected Log Messages

Under normal circumstances, you should not see any of these log messages. If you do, please contact Thales Group Technical Support to report the message and seek guidance on what to do next.

2012 Feb 29 12:05:01 myLuna  authpriv err  ssdh[1234]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
2012 Feb 29 12:05:01 myLuna  authpriv crit  ssdh[1234]: fatal: Cannot bind any address.
2012 Feb 29 12:05:01 myLuna  authpriv crit  ssdh[1234]: fatal: Read from socket failed: Connection reset by peer [preauth]
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Disconnecting: Too many authentication failures for <user name> [preauth]
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Invalid user <user name> from 192.168.0.100
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: input_userauth_request: invalid user <user name> [preauth]
2012 Feb 29 12:05:01 myLuna  authpriv notice  ssdh[1234]: pam_unix(ssdh[1234]:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.100  user=admin
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Failed password for admin from 192.168.0.100 port 1615 ssh2
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: subsystem request for sftp
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: subsystem request for sftp failed, subsystem not found
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: syslogin_perform_logout: logout() returned an error
2012 Feb 29 12:05:01 myLuna  authpriv alert  ssdh[1234]: pam_unix(ssdh[1234]:auth): check pass; user unknown
2012 Feb 29 12:05:01 myLuna  authpriv crit  ssdh[1234]: pam_succeed_if(ssdh[1234]:auth): error retrieving information about user <user name>
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: User root from 192.168.0.100 not allowed because not listed in AllowUsers
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Bad protocol version identification 'id' from 10.168.64.4
2012 Feb 29 12:05:01 myLuna  authpriv warn  ssdh[1234]: Deprecated pam_stack module called from service "ssdh[1234]"
2012 Feb 29 12:05:01 myLuna  authpriv notice  ssdh[1234]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.101.18.32  user=admin
2012 Feb 29 12:05:01 myLuna  authpriv alert  ssdh[1234]: PAM service(ssdh[1234]) ignoring max retries; 5 > 3
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received request to connect to host 127.0.0.1 port 3306, but the request was denied.
2012 Feb 29 12:05:01 myLuna  authpriv err  ssdh[1234]: error: Received disconnect from 192.168.0.100: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
2012 Feb 29 12:05:01 myLuna  authpriv crit  ssdh[1234]: fatal: Access denied for user admin by PAM account configuration [preauth]
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Setting tty modes failed: Invalid argument
2012 Feb 29 12:05:01 myLuna  authpriv crit  ssdh[1234]: fatal: PAM: pam_chauthtok(): Authentication token manipulation error
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: syslogin_perform_logout: logout() returned an error
2012 Feb 29 12:05:01 myLuna  authpriv info  ssdh[1234]: Received SIGHUP; restarting.

These messages indicate abnormal SSH activity. A future revision of Syslog and SNMP Monitoring Guide will provide more details of what each message means.