Logging of comments on keys

Axel Dunkel ad at Dunkel.de
Mon Feb 10 06:13:38 EST 2003 

Hi,

during our usual work I found it anoying that one can not easily see 
who logged in using public key authentication. In newer versions of 
SSH the fingerprint of the public key gets logged, but who can tell 
which key belongs to whom from his head?

So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment 
field on the keys in the authorized_keys[2] files get logged to make 
life easier. Also, the public key of all public-key-login-*attempts* 
are logged as well.

I include the patch (only some lines of code). I would appreciate 
comments on this matter!

Thanks,
Axel Dunkel


---
Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad at Dunkel.de



-------------- next part --------------
*** auth2-pubkey.c.orig	Sun Feb  9 12:48:09 2003
--- auth2-pubkey.c	Sun Feb  9 19:57:09 2003
***************
*** 183,188 ****
--- 183,193 ----
  
  	debug("trying public key file %s", file);
  
+  	/* log public key */
+ 
+ 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ 	verbose("Attempt public key authentication for %s with %s key: %s", pw->pw_name, key_type(key), fp);
+ 
  	/* Fail quietly if file does not exist */
  	if (stat(file, &st) < 0) {
  		/* Restore the privileged uid. */
***************
*** 244,249 ****
--- 249,255 ----
  			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
  			verbose("Found matching %s key: %s",
  			    key_type(found), fp);
+ 			verbose("Comment on key: %s", cp);
  			xfree(fp);
  			break;
  		}
*** auth-rsa.c.orig	Sun Feb  9 13:18:56 2003
--- auth-rsa.c	Sun Feb  9 13:21:39 2003
***************
*** 153,159 ****
  int
  auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
  {
! 	char line[8192], *file;
  	int allowed = 0;
  	u_int bits;
  	FILE *f;
--- 153,159 ----
  int
  auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
  {
! 	char line[8192], *file, *extpubkey;
  	int allowed = 0;
  	u_int bits;
  	FILE *f;
***************
*** 164,169 ****
--- 164,175 ----
  	/* Temporarily use the user's uid. */
  	temporarily_use_uid(pw);
  
+ 	/* log public key */
+ 
+ 	extpubkey = BN_bn2hex(client_n);
+ 	log("Attempt RSA authentication for %s with pubkey %s", pw->pw_name, extpubkey);
+ 	OPENSSL_free(extpubkey);
+ 
  	/* The authorized keys. */
  	file = authorized_keys_file(pw);
  	debug("trying public RSA key file %s", file);
***************
*** 249,254 ****
--- 255,263 ----
  			log("Warning: %s, line %lu: keysize mismatch: "
  			    "actual %d vs. announced %d.",
  			    file, linenum, BN_num_bits(key->rsa->n), bits);
+ 		
+ 		/* log comment */
+ 		verbose("Comment on found key: %s", cp);
  
  		/* We have found the desired key. */
  		/*

More information about the openssh-unix-dev mailing list