sshd service: Default to INFO logLevel (upstream default) #100255
Motivation for this change
This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
The previous justification (added in #40692) for using
I've verified it; sshd logs with
As shown, the fingerprint for the successful login is still printed with
The text was updated successfully, but these errors were encountered:
I got the bit about
On the motivation of the change, I believe that following the OpenSSH upstream default should take precedence over making OpenSSH play well with fail2ban out-of-the-box.
If we instead concluded that we should keep a higher default SSH log level to benefit fail2ban, then we should document that in the sshd options.
The previous justification for using "VERBOSE" is incorrect, because OpenSSH does use level INFO to log "which key was used to log in" for sccessful logins, see: https://github.com/openssh/openssh-portable/blob/6247812c76f70b2245f3c23f5074665b3d436cae/auth.c#L323-L328 Also update description to the wording of the sshd_config man page. `fail2ban` needs, sshd to be "VERBOSE" to work well, thus the `fail2ban` module sets it to "VERBOSE" if enabled. The docs are updated accordingly.