Commit 7c2cb7e2 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

change how we define sunetids ignored by filter-syslog for ssh auth failures

parent c5b4d0d1
release/005.007 (unreleased)
[ssh] Change the method by which we specify a list of sunetids to
filter via filter-syslog. If you install this version of base you will
need to add to hiera the list of sunetids whose authentication failure
warnings you want to continue ignoring. Otherwise, your root mail get
noisier. Because this only affects filter-syslog it has no affect on
the actual ssh service running on the server, so it is a very
low-impact change. [adamhl]
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
......@@ -14,10 +14,15 @@
# sudo, see the base::sudo class.
# Default: false
# $filter_sunetids: ignore "authentication failure" messages for this list
# of sunetids.
# Default: the empty array (so don't filter any such messages)
class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
$filter_sunetids = [],
# Install the openssh server package.
......@@ -102,6 +107,6 @@ class base::ssh(
# Ignore routine ssh messages.
file { '/etc/filter-syslog/ssh':
source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
content => template('base/ssh/etc/filter-syslog/ssh.erb'),
......@@ -64,12 +64,24 @@ sshd: /^Disconnecting: Too many authentication failures for \S+$/
# Ignore failed logins by ACS and other AS and ITS staff. We all mistype
# passwords occasionally.
sshd: /^sshd\(pam_unix\): authentication failure; .* user=(adamhl|atayts|bxk|chekh|chom|jmcdermo|jcowart|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)$/
sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(adamhl|atayts|bxk|chekh|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)( |\Z)/
sshd: /^Disconnecting: Too many authentication failures for (adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl) \[preauth\]$/
sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl) from [a-f:\d.]+ port \d+ ssh2$/
sshd: /^PAM \d+ more authentication failures?; .* user=(adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)$/
sshd: /^error: PAM: Authentication failure for (adamhl|atayts|bxk|chekh|chom||jcowart|jonrober|jmcdermo|ktai|laltman|nbfa|saracook|sfeng|swl) from [a-z:\d.-]+$/
# Create an "OR" of all the sunetids we can ignore.
if (@filter_sunetids.length > 0) then
ignore_or_string = @filter_sunetids.join("|")
sshd: /^sshd\(pam_unix\): authentication failure; .* user=(<%= ignore_or_string %>)$/
sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(<%= ignore_or_string %>)( |\Z)/
sshd: /^Disconnecting: Too many authentication failures for (<%= ignore_or_string %>) \[preauth\]$/
sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (<%= ignore_or_string %>) from [a-f:\d.]+ port \d+ ssh2$/
sshd: /^PAM \d+ more authentication failures?; .* user=(<%= ignore_or_string %>)$/
sshd: /^error: PAM: Authentication failure for (<%= ignore_or_string %>) from [a-z:\d.-]+$/
# Puppet Note: No sunetids provided, so skipping.
# Ignore GSS-API failures as root. This is normally because people try to
# use their normal credentials for root access.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment