logging of which key authenticated?

John Hawkinson jhawk at MIT.EDU
Wed Feb 27 03:58:35 EST 2002


Rogan Dawes <rdawes at mweb.co.za> wrote on Tue, 26 Feb 2002
at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:

> If I were to create a patch to provide this functionality, would it be
> accepted, or is there some fundamental objection to doing this?

I think that logging the key is a good idea.

> It makes more sense to me to log something like the comment in the
> public key, rather than the key itself, or just the line number. Are
> there security implications to this other than "What happens if the
> user edits the 'authorized_keys file and changes the comment?" Does
> the logging step occur as "root", or as the authenticated user, if
> it is non-root?

I would suggest you log the fingerprint of the key, along with the
comment parenthetically.

bogus idea: You could go all-out and have the syntax for your logging
option define % escapes for the fingerprint, the comment, the pathname
to the authorized_keys_file, the line number, and the entire key
itself, and allow the administrator to provide a printf-style format
string for the key logging. (I think this is silly, and that the
fingerprint and the comment should be sufficient...)

--jhawk



More information about the openssh-unix-dev mailing list