logging RSA key IDs

Harold Gutch logix at foobar.franken.de
Fri Feb 4 09:38:01 EST 2000


On Tue, Feb 01, 2000 at 01:57:05PM -0800, Phil Karn wrote:
> Hi. To compartmentalize things a bit (e.g., to help limit the damage
> should one of my machines be hacked and my private RSA keys stolen) I
> use different RSA key pairs on my different client machines.
> 
> So it occurs to me that it would be nice if ssh could log which key
> was used when logging in to a particular account that has more than
> one entry in .ssh/authorized_keys.  Right now it simply says "Accepted
> rsa for karn from <blah blah>" without saying which key was used.
> 
> You obviously don't want to log the whole public key, just the comment
> field from the appropriate line in .ssh/authorized_keys would do.

Perhaps I'm overseeing the obvious - but why not?  The only thing
that gets logged, is the _public_ key, the one the server knows
anyway already, the one in the user's $HOME/.ssh/identity.pub
file.
If the machine is compromised, this public key is compromised as
well.
If the machine isn't compromised, the only one who will be able
to see this key, is root (you do set the correct permissions on
your logfiles, don't you?);  but root is always able to simply
peek into the users' identity.pub files anway.

All in all I don't see how logging the complete public key that
was used leaks any information anywhere, neither do I see privacy
issues.
One might argue that the logfile will grow significantly larger,
but frankly I hardly believe that they would grow as much as they
need to give you problems - YMMV (and one could always add a
configurable limit - like limit it to the first 64 chars etc.)

bye,
  Harold

-- 
Someone should do a study to find out how many human life spans have
been lost waiting for NT to reboot.
              Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc





More information about the openssh-unix-dev mailing list