logging RSA key IDs

Wed Feb 2 20:29:16 EST 2000

On Tue, 1 Feb 2000, Phil Karn wrote:

> Hi. To compartmentalize things a bit (e.g., to help limit the damage
> should one of my machines be hacked and my private RSA keys stolen) I
> use different RSA key pairs on my different client machines.
> 
> So it occurs to me that it would be nice if ssh could log which key
> was used when logging in to a particular account that has more than
> one entry in .ssh/authorized_keys.  Right now it simply says "Accepted
> rsa for karn from <blah blah>" without saying which key was used.
> 
> You obviously don't want to log the whole public key, just the comment
> field from the appropriate line in .ssh/authorized_keys would do.

I don't think the comment is sent as part of the RSA authentication
dialog, though it may be possible to log the fingerprint of the client
user or host key.

Attached is a quick and very dirty patch which does just that.

Regards,
Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)


-------------- next part --------------
? ssh
? sshd
? configure
? config.h.in
? config.log
? config.h
? config.cache
? Makefile
? random.h
? random.c
? config.status
? ssh-add
? ssh-keygen
? scp
? ssh-agent
? scp.1.out
? ssh-add.1.out
? ssh-agent.1.out
? ssh-keygen.1.out
? ssh.1.out
? sshd.8.out
? sshd_config.out
? ssh_config.out
Index: auth-rh-rsa.c
===================================================================
RCS file: /var/cvs/openssh/auth-rh-rsa.c,v
retrieving revision 1.7
diff -u -r1.7 auth-rh-rsa.c

--- auth-rh-rsa.c	1999/11/25 00:54:57	1.7
+++ auth-rh-rsa.c	2000/02/02 09:28:51
@@ -22,7 +22,11 @@
 #include "xmalloc.h"
 #include "uidswap.h"
 #include "servconf.h"
+#include "fingerprint.h"
 
+/* Client host fingerprint from rhosts RSA authentication. */
+extern char *rhost_fingerprint;
+
 /*
  * Tries to authenticate the user using the .rhosts file and the host using
  * its host key.  Returns true if authentication succeeds.
@@ -103,5 +107,10 @@
 	verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
 		pw->pw_name, client_user, canonical_hostname);
 	packet_send_debug("Rhosts with RSA host authentication accepted.");
+
+	/* Take a copy of the rhost's key's fingerprint */
+	rhost_fingerprint = xstrdup(fingerprint(client_host_key_e, 
+		client_host_key_n));
+	
 	return 1;
 }
Index: auth-rsa.c
===================================================================
RCS file: /var/cvs/openssh/auth-rsa.c,v
retrieving revision 1.12
diff -u -r1.12 auth-rsa.c
--- auth-rsa.c	2000/01/20 11:44:09	1.12
+++ auth-rsa.c	2000/02/02 09:28:53
@@ -25,6 +25,7 @@
 #include "mpaux.h"
 #include "uidswap.h"
 #include "servconf.h"
+#include "fingerprint.h"
 
 #ifdef HAVE_OPENSSL
 #include <openssl/rsa.h>
@@ -43,6 +44,9 @@
 extern char *forced_command;
 extern struct envstring *custom_environment;
 
+/* Client fingerprint from RSA authentication. */
+extern char *client_fingerprint;
+
 /*
  * Session identifier that is used to bind key exchange and authentication
  * responses to a particular session.
@@ -286,6 +290,9 @@
 		 */
 		authenticated = 1;
 
+		/* Take a copy of the client key's fingerprint */
+		client_fingerprint = xstrdup(fingerprint(e, n));
+		
 		/* RSA part of authentication was accepted.  Now process the options. */
 		if (options) {
 			while (*options && *options != ' ' && *options != '\t') {
Index: sshd.c
===================================================================
RCS file: /var/cvs/openssh/sshd.c,v
retrieving revision 1.55
diff -u -r1.55 sshd.c
--- sshd.c	2000/01/26 00:07:22	1.55
+++ sshd.c	2000/02/02 09:29:04
@@ -101,6 +101,12 @@
 /* RSA authentication "environment=" options. */
 struct envstring *custom_environment = NULL;
 
+/* Client fingerprint from RSA authentication. */
+char *client_fingerprint = NULL;
+
+/* Client host fingerprint from rhosts RSA authentication. */
+char *rhost_fingerprint = NULL;
+
 /* Session id for the current session. */
 unsigned char session_id[16];
 
@@ -1504,11 +1510,15 @@
 		    type == SSH_CMSG_AUTH_PASSWORD)
 			authlog = log;
 
-		authlog("%s %s for %.200s from %.200s port %d%s",
+		authlog("%s %s for %.200s %s%sfrom %.200s %s%sport %d%s",
 			authenticated ? "Accepted" : "Failed",
 			get_authname(type),
 			pw->pw_uid == 0 ? "ROOT" : pw->pw_name,
+			client_fingerprint != NULL?client_fingerprint:"",
+			client_fingerprint != NULL?" ":"",
 			get_remote_ipaddr(),
+			rhost_fingerprint != NULL?rhost_fingerprint:"",
+			rhost_fingerprint != NULL?" ":"",
 			get_remote_port(),
 			user);
 
