Logging authorized key info
Frank Mohr
f_mohr at yahoo.de
Fri Sep 28 03:35:16 EST 2001
Peter W wrote:
>
> On Thu, Sep 27, 2001 at 12:27:23PM -0400, Nicolas Williams wrote:
>
> > The key name field from the authorized_keys entry (or, missing that, the
> > public key fingerprint) should be logged.
>
> Do you mean the comment field? Since that's user-supplied, is there any
> concern about mischievous values? A hex-encoded fingerprint value on the
> other hand would always be safe/predictable & relatively short.
>
It's not in all cases user supplied - On our servers we use a nightly
root cron job to fill the authorized_keys files from an LDAP server and
set the comment field to unique values. The authorized_keys is only
writable
for root.
I've patched the server to log that comment field to syslog and to set
an
environment variable (SSH_ORIGINAL_USER) to that value (I use that
variable
for a command="" started relay software)
I still have to split my patch file into logical pieces
(logging, AIX SRC and some data type fixes) ..
I'll post it after my holidays.
Nevertheless an additional fingerprint log would be nice.
(not only to give something new to our "security auditing department"
;-)
Frank
More information about the openssh-unix-dev
mailing list