Key fingerprint logging

Michal Kara lemming at
Fri Feb 1 21:38:58 EST 2002

> >   I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of
> > the accepted key to be printed in the log message. It works with SSH1-RSA and
> > SSH2 pubkey (DSA+RSA) authentication.
> > 
> >   This feature is controllable by the LogKeyFingerprint config option (turned
> > off by default).
> > 
> Unless I am wrong I believe -current already has this funcionality.  Just
> it does not add another configuration option since is is always on.

  Not always - only when you have verbose logging. And the way it is implemented
makes it not-so-easy to assign fingerprint to login, since the FP is printed on
a separate line. You'd have to keep track which PID accepted which key to be able
to tell for which user the key was accepted. My version added FP information to
the "Accepted RSA from ... " (or equivalent in ssh2) line, so it was "all in

  Anyway, you probably would not be willing to change your implementation :-)


More information about the openssh-unix-dev mailing list