Logging of RSA/DSA key used?
Dawes, Rogan (ZA - Johannesburg)
rdawes at deloitte.co.za
Wed Jun 13 16:48:10 EST 2001
Hi folks,
I am sitting with a requirement to configure an account for shared use, with
access via SSH, and RSA/DSA keys.
What I would like to do, and I know it is not foolproof, is log the key
presented in order to log on, for audit purposes.
The intention is that each user has their own key pair, and the public keys
are all stored on the server, as expected. When the key presented is
accepted, simply log the key finger print, or the key itself to syslog.
I have experimented a little with the available log levels, and saw an entry
at VERBOSE level which is almost what I am looking for:
Key found in /home/rdawes/.ssh/authorized_keys2, line 2 (or words to that
effect)
This level of logging is not recommended, as per the man page, and indeed,
generates a lot of unnecessary info for my purposes.
Would it be possible to add a log entry at INFO (preferably) or VERBOSE
levels that would record a fingerprint of the public key matched?
I understand that one needs to be careful of blindly logging user data to
syslog, and don't really want the Key comment field anyway, but once one has
verified that the key matches, I doubt that there can be any bad info in the
key field itself, surely?
Please Cc: me on any replies, as I am not subscribed to the list.
Thanks
Rogan
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe at alum.mit.edu>
--
Tel: +27(11)806-6216 Fax: +27(11)806-5202 Cell: +27(82)784-9498
--
NOTE: This e-mail message and its attachments is subject to the
disclaimers as published at:
http://www.deloitte.co.za/disc.htm#emaildisc
More information about the openssh-unix-dev
mailing list