logging of which key authenticated?
Rogan Dawes
rdawes at mweb.co.za
Wed Feb 27 07:15:11 EST 2002
That's great! Any ideas about a release date?
Rogan
----- Original Message -----
From: "Ben Lindstrom" <mouring at etoh.eviladmin.org>
To: "John Hawkinson" <jhawk at MIT.EDU>
Cc: "Rogan Dawes" <rdawes at mweb.co.za>; <openssh-unix-dev at mindrot.org>
Sent: Tuesday, February 26, 2002 6:34 PM
Subject: Re: logging of which key authenticated?
>
> Keys are logged in the -current tree.
>
> - Ben
>
> On Tue, 26 Feb 2002, John Hawkinson wrote:
>
> > Rogan Dawes <rdawes at mweb.co.za> wrote on Tue, 26 Feb 2002
> > at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:
> >
> > > If I were to create a patch to provide this functionality, would it be
> > > accepted, or is there some fundamental objection to doing this?
> >
> > I think that logging the key is a good idea.
> >
> > > It makes more sense to me to log something like the comment in the
> > > public key, rather than the key itself, or just the line number. Are
> > > there security implications to this other than "What happens if the
> > > user edits the 'authorized_keys file and changes the comment?" Does
> > > the logging step occur as "root", or as the authenticated user, if
> > > it is non-root?
> >
> > I would suggest you log the fingerprint of the key, along with the
> > comment parenthetically.
> >
> > bogus idea: You could go all-out and have the syntax for your logging
> > option define % escapes for the fingerprint, the comment, the pathname
> > to the authorized_keys_file, the line number, and the entire key
> > itself, and allow the administrator to provide a printf-style format
> > string for the key logging. (I think this is silly, and that the
> > fingerprint and the comment should be sufficient...)
> >
> > --jhawk
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list