PATCH: log key fingerprint upon successful login

Jos Backus josb at cncdsl.com
Wed Dec 5 09:29:51 EST 2001 

This patch is against 3.0.2p1. It produces output like the first line in the
example below for both v1 and v2 logins. Logging is turned on by sticking
``LogFingerprint yes'' in sshd_conf. It would be nice if something like this
would make it into OpenSSH.

Dec  4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found
matching RSA1 key: dd:5f:1b:ed:2f:cd:a5:05:f6:d1:39:6b:d2:66:dc:2e
Dec  4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Accepted
rsa for josb from 1.2.3.4 port 1889

--- openssh-3.0.2p1.dist/auth-rsa.c	Mon Aug  6 14:01:49 2001
+++ openssh-3.0.2p1/auth-rsa.c	Tue Dec  4 14:14:06 2001
@@ -181,7 +181,7 @@
 	 */
 	while (fgets(line, sizeof(line), f)) {
 		char *cp;
-		char *options;
+		char *optionsp;
 
 		linenum++;
 
@@ -199,7 +199,7 @@
 		 */
 		if (*cp < '0' || *cp > '9') {
 			int quoted = 0;
-			options = cp;
+			optionsp = cp;
 			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
 				if (*cp == '\\' && cp[1] == '"')
 					cp++;	/* Skip both */
@@ -207,7 +207,7 @@
 					quoted = !quoted;
 			}
 		} else
-			options = NULL;
+			optionsp = NULL;
 
 		/* Parse the key from the line. */
 		if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
@@ -232,7 +232,7 @@
 		 * If our options do not allow this key to be used,
 		 * do not send challenge.
 		 */
-		if (!auth_parse_options(pw, options, file, linenum))
+		if (!auth_parse_options(pw, optionsp, file, linenum))
 			continue;
 
 		/* Perform the challenge-response dialog for this key. */
@@ -251,6 +251,15 @@
 		 * otherwise continue searching.
 		 */
 		authenticated = 1;
+		if (options.log_fingerprint) {
+			Key *auth_key = key_new(KEY_RSA1);
+			auth_key->rsa->n = pk->n;
+			auth_key->rsa->e = pk->e;
+			log("Found matching %s key: %s",
+				key_type(auth_key),
+				key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX));
+			key_free(auth_key);
+		}
 		break;
 	}
 
diff -ruN openssh-3.0.2p1.dist/auth2.c openssh-3.0.2p1/auth2.c
--- openssh-3.0.2p1.dist/auth2.c	Tue Nov 13 04:46:19 2001
+++ openssh-3.0.2p1/auth2.c	Tue Dec  4 14:12:37 2001
@@ -690,8 +690,13 @@
 	found_key = 0;
 	found = key_new(key->type);
 
+	if (options.log_fingerprint)
+		log("Find matching %s key: %s",
+			key_type(key),
+			key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
+
 	while (fgets(line, sizeof(line), f)) {
-		char *cp, *options = NULL;
+		char *cp, *optionsp = NULL;
 		linenum++;
 		/* Skip leading whitespace, empty and comment lines. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -703,7 +708,7 @@
 			/* no key?  check if there are options for this key */
 			int quoted = 0;
 			debug2("user_key_allowed: check options: '%s'", cp);
-			options = cp;
+			optionsp = cp;
 			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
 				if (*cp == '\\' && cp[1] == '"')
 					cp++;	/* Skip both */
@@ -720,10 +725,14 @@
 			}
 		}
 		if (key_equal(found, key) &&
-		    auth_parse_options(pw, options, file, linenum) == 1) {
+		    auth_parse_options(pw, optionsp, file, linenum) == 1) {
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
+			if (options.log_fingerprint)
+				log("Found matching %s key: %s",
+					key_type(key),
+					key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
 			break;
 		}
 	}
--- openssh-3.0.2p1.dist/servconf.c	Tue Nov 13 05:03:15 2001
+++ openssh-3.0.2p1/servconf.c	Tue Dec  4 12:37:39 2001
@@ -109,6 +109,7 @@
 	options->client_alive_count_max = -1;
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
+	options->log_fingerprint = -1;
 }
 
 void
@@ -229,6 +230,8 @@
 	}
 	if (options->authorized_keys_file == NULL)
 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+	if (options->log_fingerprint == -1)
+		options->log_fingerprint = 0;
 }
 
 /* Keyword tokens. */
@@ -261,6 +264,7 @@
 	sBanner, sReverseMappingCheck, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+	sLogFingerprint,
 	sDeprecated 
 } ServerOpCodes;
 
@@ -334,6 +338,7 @@
 	{ "clientalivecountmax", sClientAliveCountMax },
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
+	{ "logfingerprint", sLogFingerprint },
 	{ NULL, 0 }
 };
 
@@ -858,6 +863,10 @@
 		case sClientAliveCountMax:
 			intptr = &options->client_alive_count_max;
 			goto parse_int;
+
+		case sLogFingerprint:
+			intptr = &options->log_fingerprint;
+			goto parse_flag;
 
 		case sDeprecated:
 			log("%s line %d: Deprecated option %s",
diff -ruN openssh-3.0.2p1.dist/servconf.h openssh-3.0.2p1/servconf.h
--- openssh-3.0.2p1.dist/servconf.h	Wed Sep 12 09:40:06 2001
+++ openssh-3.0.2p1/servconf.h	Tue Dec  4 12:37:39 2001
@@ -129,6 +129,7 @@
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 	int	pam_authentication_via_kbd_int;
+	int	log_fingerprint;
 
 }       ServerOptions;
 

Thanks,
-- 
Jos Backus                 _/  _/_/_/        Santa Clara, CA
                          _/  _/   _/
                         _/  _/_/_/             
                    _/  _/  _/    _/
josb at cncdsl.com     _/_/   _/_/_/            use Std::Disclaimer;

More information about the openssh-unix-dev mailing list