CVE-2023-27100: Bug #13574: Extra remote address information can confuse ``sshguard`` - pfSense

closed

Extra remote address information can confuse ``sshguard``

Plus Target Version:

23.01

Description

The authentication system attempts to be informative and print extra information along with IP addresses to completely identify where a user logs in from. This includes the authentication source (e.g. local database, LDAP or RADIUS, auth server name), contents of proxy headers such as X-Forwarded-For or Client-IP to further clarify exactly where a user is located.

This extra information is printed after the IP address of the remote user in various places, including log messages for authentication.

The extra information confuses the sshguard parser and it fails to recognize the client IP address in authentication error messages, so the protection may not be enforced depending on the content of the request headers.

While this extra information can be helpful, it isn’t relevant for authentication failures since (a) the auth source is unknown/undefined as it failed every attempt and (b) since the login failed the rest of the headers shouldn’t be trusted anyhow. Thus, we can safely remove it from the error messages.

• History

• Notes

• Property changes

• Associated revisions

• Status changed from In Progress to Feedback

• % Done changed from 0 to 100

• Status changed from Feedback to Resolved

The extra information is no longer printed in the log, and sshguard properly recognizes the failed attempts even when the client provides the X-Forwarded-For or Client-IP headers.

• Private changed from Yes to No

Also available in: Atom PDF