SSHd not logging Failed publickey attempts

On Debian Squeeze I have sshd set up to not permit password logins and require key based authentication.

I notice that when I attempt to log in from the WAN into my box with a bad SSH key, I do not get the "Failed publickey...." message in auth.log. I only get "Connection from...." logged and that's it.

When I log in from within my LAN to my box with a bad key, I do get "Failed publickey...." logged. I want to be able to log all failed publickey attempts to SSH.

Does anyone have any advice as to why it's not logging failed keys from the WAN?


Solution 1:

I generally recommend increasing the default logging for sshd.The default loglevel is INFO, which gives you some minimal levels of information, but certainly not all. I recommend cranking that up to VERBOSE which will give you such events as the fingerprint of the key used for authentication, a log message when the user logs off, and should contain the failures that you're interested in.

Edit your /etc/ssh/sshd_config and find the setting for LogLevel. Change that such that it is

LogLevel VERBOSE

Then restart the sshd service.