On 2000-12-28, Christian Kurz <shorty at debian.org> wrote:
> On 00-12-28 Markus Friedl wrote:
> > i am not sure about this feature.
> > you could add a
> > {Key k; k.rsa=pk; k.type=KEY_RSA1;
> > verbose("RSA auth accepted with key %s", key_fingerprint(&k);
> > }
> > to auth_rsa().
> Well, at my former employer we had only one account that was used by
> everyone to log into the server. In this situation it would be useful
> to have a line in the auth.log like this to see which user logged and
> which key he used. Now I work at an other company where we have
Yup. This'd also be quite nice for automated jobs that can, say, log in
as root with a forced command="...", or shared access to an account that
runs a forced command="..." or scp's.
Here are some (lightly tested, whee) small patches to implement this for
RSA and DSA authentications. I also added key-line-number printing for
keys which are skipped because their options blocks have restrictive
from='s, etc. (BTW I think that wording is misleading: sshd says
"correct key but not from a permitted host", but as far as I can tell,
the key hasn't actually been tested yet--that check happens *before* the
client is challenged. The verbage suggests it wasn't always so.)
I'm also including a one-liner for my request the other day, that
changes 'tvp!=NULL kid...' from debug to debug2.
Mebbe these are small enough for someone to look over (and, probably,
fix ;) in time for inclusion in 2.4.0 ?
Thanks,
Hank Leininger <hlein at progressive-comp.com>
###
diff -u auth-options.c.orig auth-options.c
--- auth-options.c.orig Sat Oct 14 01:23:11 2000
+++ auth-options.c Thu Dec 28 15:51:38 2000
@@ -193,9 +193,9 @@
xfree(patterns);
if (mname == -1 || mip == -1 ||
(mname != 1 && mip != 1)) {
- log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
+ log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s, line=%lu).",
pw->pw_name, get_canonical_hostname(),
- get_remote_ipaddr());
+ get_remote_ipaddr(), linenum);
packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
get_canonical_hostname());
/* deny access */
diff -u auth-rsa.c.orig auth-rsa.c
--- auth-rsa.c.orig Sun Oct 15 21:14:42 2000
+++ auth-rsa.c Thu Dec 28 16:50:12 2000
@@ -28,6 +28,8 @@
#include <openssl/rsa.h>
#include <openssl/md5.h>
+#include <openssl/dsa.h>
+#include "key.h"
/* import */
@@ -276,6 +278,11 @@
* otherwise continue searching.
*/
authenticated = 1;
+ /* Log which RSA key was used */
+ {
+ Key k; k.rsa=pk; k.type=KEY_RSA;
+ verbose("RSA auth successful for key %s", key_fingerprint(&k));
+ }
break;
}
diff -u auth2.c.orig auth2.c
--- auth2.c.orig Sat Oct 28 06:05:57 2000
+++ auth2.c Thu Dec 28 16:04:14 2000
@@ -464,8 +464,11 @@
#endif
/* test for correct signature */
if (user_dsa_key_allowed(authctxt->pw, key) &&
- dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+ dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) {
authenticated = 1;
+ /* Log which DSA key was used */
+ verbose("DSA auth successful for key %s", key_fingerprint(key));
+ }
buffer_clear(&b);
xfree(sig);
} else {
diff -u serverloop.c.orig serverloop.c
--- serverloop.c.orig Fri Oct 27 23:19:58 2000
+++ serverloop.c Wed Dec 27 22:32:23 2000
@@ -256,7 +256,7 @@
tvp = &tv;
}
if (tvp!=NULL)
- debug("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds);
+ debug2("tvp!=NULL kid %d mili %d", child_terminated, max_time_milliseconds);
/* Wait for something to happen, or the timeout to expire. */
ret = select(max_fd + 1, readset, writeset, NULL, tvp);