Monday, October 14, 2024

7.6 openssh match 'invalid-user' feature

Hello, I'm checking out the changes coming along openbsd 7.6, and
I'm having trouble with openssh's "Invalid-User" Match.

> Add a new sshd_config(5) "invalid-user" Match predicate that allows
> matching on invalid usernames, e.g. to allow penalisation of
> account/password guessers.

Now i might very well be doing it wrong but i cannot figure out why
my username is not considered 'valid'. I am testing things out
on the following system:

> xse@krkrkr ~ $ uname -a
> OpenBSD krkrkr.org 7.6 GENERIC#332 amd64
> xse@krkrkr ~ $ sshd -V
> OpenSSH_9.9, LibreSSL 4.0.0
> xse@krkrkr ~ $ whoami
> xse

Here's a configuration extract (full: https://clbin.com/LIek2 ):

> PerSourcePenalties refuseconnection:120s
> Match Invalid-User
> RefuseConnection yes

where the penatly is applied to my 'valid' user (VERBOSE logs extract):

> krkrkr sshd-session[50285]: administratively prohibited connection for
> xse from 86.253.103.85 port 54128
> krkrkr sshd[15468]: srclimit_penalise: ipv4: new 86.253.103.85/32
> active penalty of 120 seconds for penalty: connection prohibited by
> RefuseConnection

Finally a DEBUG3 LogLevel extract which outputs:

> debug3: checking match for 'Invalid-User' user xse host 86.253.103.85
> addr 86.253.103.85 laddr 46.23.92.76 lport 1337
> debug3: match not found

I'm not too sure what I'm doing wrong here and would appreciate any
pointers. Have a good day!

No comments:

Post a Comment