What do these entries in my SSH logs mean?

Question

I recently noticed that I have entries from an unknown IP address in my SSH logs. I performed a grep to extract all entires that didn't contain my own IP address. I was presented with this:

Jul 24 22:06:54 server1 sshd[8261]: Accepted publickey for root from xxx.xxx.xx.xxx port 39721 ssh2
Jul 25 04:06:50 server1 sshd[8233]: Accepted publickey for root from xxx.xxx.xx.xxx port 40800 ssh2
Jul 25 04:08:30 server1 sshd[8233]: Received disconnect from xxx.xxx.xx.xxx: 11: disconnected by user

I have a few questions:

• Are the first two lines successfull or attempted log ins?
• Is the third line a disconnect resulting from a successfull or attempted log in?
• Is the four digit number in square brackets after sshd the PID?

I'm running CentOS 5 on a dedicated server. I am using OpenSSH.

Answer 1

First two lines are successful logins.

Third line indicates that the connection made on the second line was disconnect (notice the PID in the square brackets, in this case 8233, are the same, indicating that the SSHD process that was spawned and accepted a public key has now disconnected... the same process generated the two lines in the log).

The PID is the method you can use to track a particular session. When a connection is made to SSHD a new process is spawned with a unique PID (unique in any one instance - that PID may be reused some time later, maybe several hours or days later as all PIDs are eventually recycled). That process stays with the connection as long as the connection lives. So if you grep for a particular PID you can get a history of what happened on that connection.

Answer 2

• Yes, they look successful. sshd was presented with a public key which exists in ~root/.ssh/authorized_keys.
• I've never seen this message from anything other than a successfully-logged-in connection.
• Yes, it'd the PID.