Logging authorized key info
Peter W
peterw at usa.net
Fri Sep 28 02:48:51 EST 2001
On Thu, Sep 27, 2001 at 12:27:23PM -0400, Nicolas Williams wrote:
> The key name field from the authorized_keys entry (or, missing that, the
> public key fingerprint) should be logged.
Do you mean the comment field? Since that's user-supplied, is there any
concern about mischievous values? A hex-encoded fingerprint value on the
other hand would always be safe/predictable & relatively short.
> Also, whichever is logged should be set as the value of some environment
> variable.
I like this idea. Currently I have some command= tools that have hard links
and behave differently based on the name referenced in command=. It would be
cleaner if I had only one file name, but the behavior depended on the
identity being used to invoke the tool.
-Peter
> It's quite useful, particularly for command= authorized_keys entries.
> On Thu, Sep 27, 2001 at 09:03:03AM -0700, Robert W. Schultz wrote:
> > I would like to be able to log the key/fingerprint/comment field or even
> > line number (pick one) from the authorized_keys file of the account
> > connected to. So I would get a syslog entry something like this...
> >
> > [ID 800047 auth.info] Accepted rsa <authorized_keys comment field> for
> > ROOT from 127.0.0.1 port 34352
More information about the openssh-unix-dev
mailing list