Bug 234793 - Failed unknown for $USER in sshd logs even if I got authenticated
Summary: Failed unknown for $USER in sshd logs even if I got authenticated
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 12.0-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2019-01-09 16:24 UTC by Sverre
Modified: 2019-08-20 14:40 UTC (History)
20 users (show)

See Also:

client-ssh-verbose.md (12.00 KB, text/plain)
2019-01-13 10:47 UTC, Egbert Pot
no flags Details
server--auth.log (1.38 KB, text/plain)
2019-01-13 10:48 UTC, Egbert Pot
no flags Details
server--sshd_config (3.91 KB, text/plain)
2019-01-13 10:49 UTC, Egbert Pot
no flags Details
Auth.log, sshd_config and level 3 debug of client (14.09 KB, text/plain)
2019-01-27 23:07 UTC, holmez
no flags Details
sshd debug (19.58 KB, text/plain)
2019-02-05 12:49 UTC, David Froehlich
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sverre 2019-01-09 16:24:10 UTC
If I ssh into a box with 12.0-RELEASE I get in fine, but the server logs that my attempt Failed for $USER ... Looks weird and I saw this one dude online that complained about this causing fail2ban to add him to the ban list. This is not an issue on 11.2 with exactly the same setup and keys and users.
Comment 1 Egbert Pot 2019-01-13 10:47:11 UTC
Created attachment 201093 [details]
Comment 2 Egbert Pot 2019-01-13 10:48:23 UTC
Created attachment 201094 [details]
Comment 3 Egbert Pot 2019-01-13 10:49:12 UTC
Created attachment 201095 [details]
Comment 4 Egbert Pot 2019-01-13 10:50:44 UTC
I I have the same issue as @Sverre. Due to this issue I cannot use Fail2Ban, since it also bans successful logins.

To help debugging this issue, I've added:
* SSH server configuration from /etc/ssh/sshd_config on the FreeBSD12 system; see server--sshd_config
* SSH server's authentication log output /var/log/auth.log; see server--auth.log
* Very verbose output of the SSH session initiated by the client; see client-ssh-verbose.md

Information on the SSH server - FreeBSD 12

$ uname -a
FreeBSD gatekeeper 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64

$ getconf LONG_BIT

$ uname -K

$ uname -U

$ sshd --help
sshd: illegal option -- -
OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd  20 Nov 2018

Information on the SSH client - OSx 10.14.2

$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.14.2
BuildVersion:	18C54

$ ssh -V
OpenSSH_7.9p1, LibreSSL 2.7.3
Comment 5 Ryan 2019-01-18 18:10:47 UTC
I'm also seeing this happening across multiple machines since updating to 12.0-RELEASE.  My sshd_config, auth.log, and client verbose log match the files uploaded by Egbert.

My server environment is:

$ uname -a
FreeBSD gateway 12.0-RELEASE-p2 FreeBSD 12.0-RELEASE-p2 GENERIC  amd64

$ getconf LONG_BIT

$ uname -K

$ uname -U

$ sshd --help
sshd: illegal option -- -
OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd  20 Nov 2018

I'm pretty confident saying that it's not a client issue, since I've tried all of the following and have received the same results with them all:

- The above mentioned FreeBSD server
- MacOS 10.14.2, OpenSSH_7.9p1, LibreSSL 2.7.3
- Blink for iOS v12.4.81
- PuTTY 0.69 on Windows 10
Comment 6 Morgan Vandagriff 2019-01-26 18:48:21 UTC
I can also confirm this on multiple amd64 machines upgraded to 12.0-RELEASE.
Comment 7 holmez 2019-01-27 23:07:29 UTC
Created attachment 201466 [details]
Auth.log, sshd_config and level 3 debug of client

same here on FreeBSD 12.0-STABLE (as of 2019-01-08)
Comment 8 David Froehlich 2019-02-05 12:49:47 UTC
Created attachment 201758 [details]
sshd debug

Same issue here.
I have attached a debug of the sshd.
The spurious errors are in line 171 and 209.
Comment 9 Thomas Guymer 2019-02-10 12:38:13 UTC
I too am also getting these lines in my logs since updating to 12.0-RELEASE yesterday. I too can no longer use "sshguard" as it is blocking *all* machines that connect, even the ones that are allowed.
Comment 10 Peter Putzer 2019-02-22 20:12:05 UTC
Same problem here (amd64 server upgraded from FreeBSD 11.2), including the trouble with Sshguard :(
Comment 11 Rihad 2019-02-23 16:45:27 UTC
Same problem here on 12.0-RELEASE-p3. The lines appear in "daily security run output" as login failures, which they aren't really.
Comment 12 Peter Putzer 2019-02-23 22:21:55 UTC
For now, I've worked around the issue by switching to openssh-portable from ports.
Comment 13 Trev 2019-02-24 05:46:39 UTC
Same problem here on 12.0-RELEASE-p3. The lines appear in "daily security run output" as login failures but they're not.
Comment 14 Jamie Baxter 2019-04-06 21:22:58 UTC
Seeing the same issue here on all FreeBSD 12.0 machines. Seeing 3 "Failed unknown for $USER from $IP port $PORT ssh2" strings on each connection showing up in auth.log at VERBOSE level or higher.

Three machines were updated from 11.2 -> 12.0 and all demonstrate this behavior. It also occurs with a new machine that installed 12.0 fresh. Had to disable sshguard on all machines until I found the number of failures in auth.log (they all locked me out after upgrade, and the new 12.0 installation locked me out after sshguard was started).

(In reply to Thomas Guymer from comment #9)
(In reply to Peter Putzer from comment #10)

With regard to sshguard problems, you should be able to get circumvent this by adjusting THRESHOLD in sshguard.conf to some value higher than 30 (if you utilize BLACKLIST_FILE, also ensure that threshold is raised to match). Do ensure your client IP is not already committed to any blacklist sshguard may use.
Comment 15 Jamie Baxter 2019-04-06 21:43:55 UTC
(In reply to Jamie Baxter from comment #14)
Or instead of touching the sshguard.conf file, you can just set the rc.conf variable sshguard_danger_thresh to something greater than 30.
Comment 16 Vincent Bentley 2019-05-17 13:21:00 UTC
Issue still present on 12.0-RELEASE-p5
Comment 17 Egbert Pot 2019-07-14 10:48:58 UTC
Issue still present on 12.0-RELEASE-p7

Is there a possibility to upgrade the OpenSSH package to version 7.9 or 8.0?