Skip to main content

Have the sshd host strings that are present in /var/log/auth.log been validated by sshd? [Resolved]

Since the log messages are written by the sshd daemon after an established connection, then my understanding is that the host strings have already been validated by the sshd daemon since the log records would not be in there since the /var/log/auth.log has messages regarding the sshd login attempts after host validation happens.

Is this correct?

Sample log messages:

Sep  8 06:28:55 boxhost sshd[29013]: Invalid user teamspeak3 from port 57936
Sep  8 06:29:51 boxhost sshd[29057]: Failed password for root from port 62425 ssh2
Sep  8 06:29:52 boxhost sshd[29059]: Failed password for invalid user password123 from port 56756 ssh2

In the above log lines there are ipv4 addresses but they could be ipv6 or format host strings, i am inclined to say that since a connection was established before these messages appear in this log file, that they passed the sshd validation steps in order to establish connection.

Question Credit: user964491
Question Reference
Asked September 17, 2019
Tags: linux, logs
Posted Under: Unix Linux
1 Answers

Sep  8 06:28:55 boxhost sshd[29013]: Invalid user teamspeak3 from port 57936

The IP address is the IP address from the TCP connection as received by the ssh daemon. It is not "validated" by the ssh daemon in any other regard than that a successful TCP connection could be established with/from that IP address, i.e. the SYN-ACK-ACK steps were completed at the TCP/IP level and sufficient ssh protocol messages were exchanged over that IP connection to negotiate a cipher and to send "teamspeak3" as login name...

Once an IP connection exist there may be reverse DNS lookups by your system that converts that IP address to a hostname and which then gets logged , but I don't think sshd checks more rigorously and for instance if the forward record for the hostname returned by a reverse lookup exists and matches.

credit: HBruijn
Answered September 17, 2019
Your Answer