# posible bug on sshd (LogLevel INFO)



## nbari (Feb 28, 2009)

I created a jail and configured sshd on it with the following options:


```
Port 22
Protocol 2
ServerKeyBits 1024
SyslogFacility AUTH
[color="Red"]LogLevel INFO[/color]
LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
PrintLastLog yes
Compression yes
KeepAlive yes
ClientAliveInterval 60
Uselogin no
Banner /etc/ssh/banner
Subsystem   sftp    /usr/libexec/sftp-server
UseDNS no
MaxStartups 10:30:60
MaxAuthTries 3
UsePrivilegeSeparation yes
StrictModes yes
```

I start to notice on the /var/log/auth lot of lines like this:

Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'
Feb 28 00:47:38 ssh sshd[62899]: login_getclass: unknown class 'staff'

I change the LogLevel to DEBUG for trying to fund more info but for my surprise in DEBUG or VERBOSE mode i never got that lines.

this is the output of VERBOSE

Feb 28 00:51:53 ssh sshd[63025]: warning: /etc/hosts.allow, line 30: can't verify hostname: getaddrinfo(189-228-129-192.static.as29550.net, AF_INET) failed
Feb 28 00:51:53 ssh sshd[63025]: Connection from 189.228.129.192 port 54551
Feb 28 00:51:54 ssh sshd[63025]: Failed none for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:54 ssh sshd[63025]: Failed publickey for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: Accepted password for nbari from 189.228.129.192 port 54551 ssh2
Feb 28 00:51:55 ssh sshd[63025]: User child is on pid 63027

the host server has FreeBSD 7.1 amd64 and the jails make.conf looks like:


```
# BUILD OPTIONS
NO_ACPI=       true    # do not build acpiconf(8) and related programs
NO_BOOT=       true    # do not build boot blocks and loader
NO_BLUETOOTH=  true    # do not build Bluetooth related stuff
NO_FORTRAN=    true    # do not build g77 and related libraries
NO_GDB=        true    # do not build GDB
NO_GPIB=       true    # do not build GPIB support
NO_I4B=        true    # do not build isdn4bsd package
NO_IPFILTER=   true    # do not build IP Filter package
NO_PF=         true    # do not build PF firewall package
NO_AUTHPF=     true    # do not build and install authpf (setuid/gid)
NO_KERBEROS=   true    # do not build and install Kerberos 5 (KTH Heimdal)
NO_LPR=        true    # do not build lpr and related programs
NO_MODULES=    true    # do not build modules with the kernel
NO_NETCAT=     true    # do not build netcat
NO_NIS=        true    # do not build NIS support and related programs
NO_SHAREDOCS=  true    # do not build the 4.4BSD legacy docs
NO_USB=        true    # do not build usbd(8) and related programs
NO_VINUM=      true    # do not build Vinum utilities
NO_ATM=        true    # do not build ATM related programs and libraries
NO_GAMES=      true    # do not build games (games/ subdir)
NO_RCMDS=      true    # do not build or install BSD r* commands (rsh, etc).
NO_INTE6=      true    # do not build IPv6 related programs and libraries
NO_PROFILE=    true    # Avoid compiling profiled libraries

# BIND OPTIONS
NO_BIND=               true    # Do not build any part of BIND
NO_BIND_DNSSEC=        true    # Do not build dnssec-keygen, dnssec-signzone
NO_BIND_ETC=           true    # Do not install files to /etc/namedb
NO_BIND_LIBS_LWRES=    true    # Do not install the lwres library
NO_BIND_MTREE=         true    # Do not run mtree to create chroot directories
NO_BIND_NAMED=         true    # Do not build named, rndc, lwresd, etc
```


And the login.conf of the jail looks like:


```
default:\
  :passwd_format=blf:\
  :minpasswordlen=6:\
  :copyright=/etc/COPYRIGHT:\
  :welcome=/etc/welcome:\
  :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
  :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
  :nologin=/var/run/nologin:\
  :coredumpsize=0:\
  :cputime=unlimited:\
  :datasize=10M:\
  :filesize=5m:\
  :maxproc=20:\
  :memorylocked=7M:\
  :memoryuse=15M:\
  :openfiles=50:\
  :sbsize=unlimited:\
  :vmemoryuse:100M:\
  :stacksize=2M:\
  :priority=5:\
  :ignoretime@:\
  :requirehome=1:\
  :idletime=30:\
  :umask=077:

staff:\
  :ignorenologin:\
  :coredumpsize=0:\
  :cputime=unlimited:\
  :datasize=unlimited:\
  :filesize=unlimited:\
  :maxproc=unlimited:\
  :memorylocked=unlimited:\
  :memoryuse=unlimited:\
  :openfiles=unlimited: \
  :sbsize=unlimited:\
  :vmemoryuse:unlimited:\
  :stacksize=unlimited:\
  :priority=0: \
  :requirehome=0: \
  :tc=default:

root:\
  :ignorenologin:\
  :sbsize=unlimited:\
  :tc=staff:

daemon:\
  :tc=staff:
```



Any comments ?


----------



## cajunman4life (Mar 1, 2009)

This may seem silly, but after editing login.conf you did perform:

cap_mkdb /etc/login.conf

Didn't you?


----------



## nbari (Mar 1, 2009)

yes


----------



## bartku (Apr 11, 2009)

For me, default class didn't work even though I set user class to default. I had to create new class and assign users to it.


----------

