logging of which key authenticated?

[Rogan Dawes]

Hi folks,

I was wondering if it were possible to log which key is used to authenticate
a user logging in?

In our scenario, our client is wanting to use SSH keys to control shared
access to Unix accounts, including root. It is obviously possible to add
multiple keys into the authorized_keys file, however, it is not possible to
see which user/key was actually presented, at a reasonable logging level.

I have looked at the source code, and it seems relatively simple to log
this - In the most verbose debug mode, the *line number* of the key in the
file IS printed/logged. It would just be a question of moving that logging
command from the most verbose mode to the normal logging mode, or creating
an option to support it.

Obviously this would be supported with syslogging to a remote log server to
prevent log tampering, and hiding the evidence.

Naturally our client does not want to maintain this themselves, in case a
future upgrade to the latest OpenSSH wipes out their change.

If I were to create a patch to provide this functionality, would it be
accepted, or is there some fundamental objection to doing this?

It makes more sense to me to log something like the comment in the public
key, rather than the key itself, or just the line number. Are there security
implications to this other than "What happens if the user edits the
'authorized_keys file and changes the comment?" Does the logging step occur
as "root", or as the authenticated user, if it is non-root?

Thanks

Rogan