Hello, I'm checking out the changes coming along openbsd 7.6, and
I'm having trouble with openssh's "Invalid-User" Match.
Add a new sshd_config(5) "invalid-user" Match predicate that allows
matching on invalid usernames, e.g. to allow penalisation of
account/password guessers.
Now i might very well be doing it wrong but i cannot figure out why
my username is not considered 'valid'. I am testing things out
on the following system:
xse@krkrkr ~ $ uname -a
OpenBSD krkrkr.org 7.6 GENERIC#332 amd64
xse@krkrkr ~ $ sshd -V
OpenSSH_9.9, LibreSSL 4.0.0
xse@krkrkr ~ $ whoami
xse
Here's a configuration extract (full: https://clbin.com/LIek2 ):
PerSourcePenalties refuseconnection:120s
Match Invalid-User
RefuseConnection yes
where the penatly is applied to my 'valid' user (VERBOSE logs extract):
krkrkr sshd-session[50285]: administratively prohibited connection for
xse from 86.253.103.85 port 54128
krkrkr sshd[15468]: srclimit_penalise: ipv4: new 86.253.103.85/32
active penalty of 120 seconds for penalty: connection prohibited by
RefuseConnection
Finally a DEBUG3 LogLevel extract which outputs:
debug3: checking match for 'Invalid-User' user xse host 86.253.103.85
addr 86.253.103.85 laddr 46.23.92.76 lport 1337
debug3: match not found
I'm not too sure what I'm doing wrong here and would appreciate any
pointers. Have a good day!
