logging of which key authenticated?

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Feb 27 03:34:25 EST 2002


Keys are logged in the -current tree.

- Ben

On Tue, 26 Feb 2002, John Hawkinson wrote:

> Rogan Dawes <rdawes at mweb.co.za> wrote on Tue, 26 Feb 2002
> at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:
>
> > If I were to create a patch to provide this functionality, would it be
> > accepted, or is there some fundamental objection to doing this?
>
> I think that logging the key is a good idea.
>
> > It makes more sense to me to log something like the comment in the
> > public key, rather than the key itself, or just the line number. Are
> > there security implications to this other than "What happens if the
> > user edits the 'authorized_keys file and changes the comment?" Does
> > the logging step occur as "root", or as the authenticated user, if
> > it is non-root?
>
> I would suggest you log the fingerprint of the key, along with the
> comment parenthetically.
>
> bogus idea: You could go all-out and have the syntax for your logging
> option define % escapes for the fingerprint, the comment, the pathname
> to the authorized_keys_file, the line number, and the entire key
> itself, and allow the administrator to provide a printf-style format
> string for the key logging. (I think this is silly, and that the
> fingerprint and the comment should be sufficient...)
>
> --jhawk
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list