what does 'Logged in without disclosing public key – Intrusion?' mean?

example asked:

I have set up a new debian vm and installed gitlab-ce. There is not really much more on the VM…
Right from the beginning, the following msg started to show up in the auth.log:

Mon 2015-08-24 21:47:36.154862 CEST [s=a93d5b0787f54cb68c24d8c7c55985a4;i=2c1bc8;b=567468ca921c4b52ba291
    _TRANSPORT=syslog
    _UID=0
    _GID=0
    _BOOT_ID=567468ca921c4b52ba2911c8b97e5f3a
    _MACHINE_ID=b6d23c0be1dbee31de2dd2b1553a4f0c
    _HOSTNAME=kraken
    SYSLOG_FACILITY=4
    PRIORITY=4
    SYSLOG_IDENTIFIER=root
    _COMM=logger
    MESSAGE=ssh/bash[9276]: Logged in without disclosing public key - Intrusion?
    _PID=9283
    _SOURCE_REALTIME_TIMESTAMP=1440445656154862

By now it appears a few hundred times a day.

What exactly does it mean? Should I be worried?


update: the msg does seem to come from sshd

   1 23979 23979 23979 ?           -1 Ss       0   4:37 /usr/sbin/sshd -D  
23979  9274  9274  9274 ?           -1 Ss       0   0:00  _ sshd: root@pts/2    
 9274  9276  9276  9276 pts/2     9276 Ss+      0   0:00      _ -bash

It seems to be triggert at every login from root (at least as well) and then appears in the logs between once and 40 or so times.

OpenSSH_6.7p1 Debian-5, OpenSSL 1.0.1k 8 Jan 2015

My answer:


The journal entry indicates that, by pid, bash posted the log message, using the logger program. This indicates that something in your startup scripts is creating this message.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.