Open rubenk opened 9 years ago
Thank you for this PR.
I am worried that this change would unintentionally allow other entries containing this substring. For example, it seems that the Bye Bye
text in the below log message is attacker-supplied:
sshd[905]: Invalid user angie from 195.154.65.98
sshd[905]: input_userauth_request: invalid user angie [preauth]
sshd[905]: Received disconnect from 195.154.65.98: 11: Bye Bye [preauth]
This could be used to by-pass the intended filtering. Either the message matching should be anchored to the beginning (stripping/ignoring sshd[...]:
somehow) or it should get anchored to the end (including an optional regex match for the fingerprint)
Yeah that's a good point. I'm out of time for now but I'll look into this, thanks.
for example: Accepted publickey for ruben from x.x.x.x port 57452 ssh2: RSA d4:65:ea:25:96:22:c6:72:53:33:91:5a:78:1e:24:69