This is on Solaris 10 sparc platform.
I'm trying to make our denyhosts script block the dictionary ssh attacks. Unfortunately, the logging does not show an IP when the user name is invalid.
We are using winbind module in pam.conf
If I intentionally enter a bad password for a good user name, it logs like this:
Mar 30 14:49:21 t2000 sshd[29870]: [ID 800047 auth.notice] Failed keyboard-interactive for fpicabia from 111.222.333.444 port 52567 ssh2
This shows the IP which I want to keep for denyhosts to scan later. No problems here.
If I login with a bogus user name, the log shows no IP info:
Mar 30 14:55:57 t2000 sshd[1816]: [ID 186046 auth.error] pam_winbind(sshd-kbdint): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
In /etc/ssh/sshd_config I already use verbose for logging:
SyslogFacility auth
LogLevel VERBOSE
In pam.conf I have these settings for winbind:
login auth sufficient pam_winbind.so.1 debug
other auth sufficient pam_winbind.so.1 try_first_pass debug
On Linux, the winbind module reports on the IP in the auth log with only the Loglevel of INFO and no debug turned on at the pam module. The limitation is specific to Solaris and its winbind module.
How can I get the IP address showing in the authentication log when the user is unknown?
Somehow this was not logging sufficient detail before, despite restarting winbind and ssh.
The server was rebooted for other reasons and now the logging does include IP for invalid user, with same settings as in question.