[Bug 3959] New: Improve message about expired certificate

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3959

            Bug ID: 3959
           Summary: Improve message about expired certificate
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: u20230201 at gmail.com

When a user's SSH certificate had expired, the user sees a "Server
refused our key" message from PuTTY, and the server's syslog states:
sshd[24334]: error: Certificate invalid: expired

So no client ID, no user ID, no certificate ID.
For an admin this makes it hard to find out what's going on.

In contrast when the key succeeds, then the message is like:

sshd[19339]: Accepted publickey for use from 172.20.8.96 port 54233
ssh2: ED25519-CERT SHA256:A/WbJo0... ID 9518 at User... (serial 2) CA
ED25519 SHA256:EE8FNy...

So there's MUCH more information then.

Therefore I suggest to enhance the failure message for expired user
certificates in sshd.  Fo example the username, certificate ID,etc. 
and expiration date could be logged.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.