[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ssh: improve logging for public key authentication (authorized_keys)
- To: bugs_(_at_)_openbsd_(_dot_)_org
- Subject: ssh: improve logging for public key authentication (authorized_keys)
- From: "Ulrich Windl" <ulrich_(_dot_)_windl_(_at_)_rz_(_dot_)_uni-regensburg_(_dot_)_de>
- Date: Tue, 05 Apr 2005 11:51:29 +0200
- Organization: Universitaet Regensburg, Klinikum
I've queried the PR database, but could not find any change-request regarding the
issue that'll follow (I thought I had suggested it a few years before):
Currently when authentication via a public key found in ~/.ssh/authorized_keys,
the syslog message reads like this:
sshd: Accepted publickey for root from 192.168.0.12 port 50233 ssh2
Now if you imagine that "root" is just a role, and "authorized_keys" does actually
contain one key for each person who may take the role of root, you might
understand the wish to log which public key was accepted.
[Note: When loggin in via the shared secret (password), it's clear which secret
was used, but it's not for "authorized keys":
sshd: Accepted password for root from 126.96.36.199 port 2420 ssh2
To be specific, I suggest to replace the phrase "publickey" (shouldn't it be
"public key" anyway?) with something like "public key
9d:20:47:83:1e:5e:97:1c:2f:5f:b4:52:5b:b6:15:da" (adding the fingerprint of the
user's public key). This was inspired by the connection message to some yet
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 9d:20:47:83:1e:5e:97:1c:2f:5f:b4:52:5b:b6:15:da.
I assume that a fingerprint from the user's public key can be created inside sshd,
and that that string with the fingerprint can be passed as `method' to auth_log()
in auth.c. Unfortunately this enhancement is not quite trivial.
I think that the security is not weakened by adding this change. If in doubt, the
feature could be controllable by some new configuration valiable like
"LogAuthorizedKeys" or "LogPublicKeys" or "LogKeyFingerprints", or you get the
Visit your host, monkey.org