Re: [Sshguard-users] OS X 10.10 (Yosemite) and "authentication error for <user> from <ip> via <ip>"

[Barry M. <bmu...@ga...>]

Thanks, Kevin.  I'll continue to poke around
...and monitor this thread for news


On Mon, Feb 2, 2015 at 7:47 PM, Kevin Zheng <kev...@gm...> wrote:

> Hi Barry,
>
> On 02/02/2015 14:52, Barry Muldrey wrote:
> >  /* wrong password for valid user @ FreeBSD, Debian */
> > "error: PAM: "[aA]"uthentication "(error|failure)" for "("illegal user
> > ")?.+" from "            { return SSH_LOGINERR_PAM; }
> >
> > which seems to be the appropriate pattern...
>
> Not quite. You're looking at the lexer, which is responsible for
> retrieving separable tokens. To add "via", you are interested in
> 'attack_parser.y', in particular these lines:
>
> ssh_authfail:
>     SSH_LOGINERR_PREF addr SSH_LOGINERR_SUFF
>     | SSH_LOGINERR_PAM addr
>     ;
>
> The solution is to add a new lexer token along the lines of
> SSH_OPT_ADDR_SUFFIX and append this to this yacc rule.
>
> This should not be difficult, but isn't exactly trivial either.
> Hopefully I'll get around to this soon.
>
> Thanks,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>