AnsweredAssumed Answered

Many publickey logins? Is this a normal behavior?

Question asked by bre on Aug 20, 2012
Latest reply on Aug 20, 2012 by Patric Fox

Hi,

 

currently we are testing the publickey logins for qualys.

 

On a test machine there where abount 185 logins like this:

 

Aug 20 14:25:12 HOSTNAME sshd[11251]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56612 ssh2

Aug 20 14:25:15 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:15 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:15 HOSTNAME sshd[11320]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56614 ssh2

Aug 20 14:25:18 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:18 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:19 HOSTNAME sshd[11399]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56615 ssh2

Aug 20 14:25:22 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:22 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:22 HOSTNAME sshd[11471]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56616 ssh2

Aug 20 14:25:25 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:25 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:26 HOSTNAME sshd[11557]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56618 ssh2

Aug 20 14:25:29 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:29 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:30 HOSTNAME sshd[11668]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56619 ssh2

Aug 20 14:25:33 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:33 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:34 HOSTNAME sshd[11753]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56620 ssh2

Aug 20 14:25:37 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:37 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:38 HOSTNAME sshd[11833]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56622 ssh2

Aug 20 14:25:41 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:41 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:42 HOSTNAME sshd[11920]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56623 ssh2

Aug 20 14:25:45 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:45 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:45 HOSTNAME sshd[11989]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56624 ssh2

Aug 20 14:25:48 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:48 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:49 HOSTNAME sshd[12058]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56626 ssh2

Aug 20 14:25:52 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:52 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:53 HOSTNAME sshd[12153]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56627 ssh2

Aug 20 14:25:56 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:56 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:25:56 HOSTNAME sshd[12228]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56629 ssh2

Aug 20 14:25:59 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:25:59 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:00 HOSTNAME sshd[12297]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56630 ssh2

Aug 20 14:26:03 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:03 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:03 HOSTNAME sshd[12366]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56632 ssh2

Aug 20 14:26:06 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:06 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:07 HOSTNAME sshd[12459]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56633 ssh2

Aug 20 14:26:10 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:10 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:11 HOSTNAME sshd[12528]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56635 ssh2

Aug 20 14:26:14 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:14 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:14 HOSTNAME sshd[12606]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56636 ssh2

Aug 20 14:26:17 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:17 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

Aug 20 14:26:18 HOSTNAME sshd[12677]: Accepted publickey for QUALYS_USER_ACCOUNT from 1.2.3.4 port 56637 ssh2

Aug 20 14:26:21 HOSTNAME sudo:   QUALYS_USER_ACCOUNT : TTY=pts/3 ; PWD=/home/QUALYS_USER_ACCOUNT ; USER=root ; COMMAND=/bin/su -

Aug 20 14:26:21 HOSTNAME su: (to root) QUALYS_USER_ACCOUNT on /dev/pts/3

 

Is this a normal behavior? I thought only one login would be needed.

 

Thanks
Mark

Outcomes