Logging of comments on keys

Tim McGarry tim at mcgarry.ch
Mon Feb 10 07:00:35 EST 2003


This may seem convenient, but it's open to abuse as anyone can put any
comment they like on the key they use

Tim McGarry
----- Original Message -----
From: "Axel Dunkel" <ad at Dunkel.de>
To: <openssh-unix-dev at mindrot.org>
Sent: Sunday, February 09, 2003 8:13 PM
Subject: Logging of comments on keys


> Hi,
>
> during our usual work I found it anoying that one can not easily see
> who logged in using public key authentication. In newer versions of
> SSH the fingerprint of the public key gets logged, but who can tell
> which key belongs to whom from his head?
>
> So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment
> field on the keys in the authorized_keys[2] files get logged to make
> life easier. Also, the public key of all public-key-login-*attempts*
> are logged as well.
>
> I include the patch (only some lines of code). I would appreciate
> comments on this matter!
>
> Thanks,
> Axel Dunkel
>
>
> ---
> Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
> Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad at Dunkel.de
>
>
>
>


----------------------------------------------------------------------------
----


> *** auth2-pubkey.c.orig Sun Feb  9 12:48:09 2003
> --- auth2-pubkey.c Sun Feb  9 19:57:09 2003
> ***************
> *** 183,188 ****
> --- 183,193 ----
>
>   debug("trying public key file %s", file);
>
> +  /* log public key */
> +
> + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
> + verbose("Attempt public key authentication for %s with %s key: %s",
pw->pw_name, key_type(key), fp);
> +
>   /* Fail quietly if file does not exist */
>   if (stat(file, &st) < 0) {
>   /* Restore the privileged uid. */
> ***************
> *** 244,249 ****
> --- 249,255 ----
>   fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
>   verbose("Found matching %s key: %s",
>       key_type(found), fp);
> + verbose("Comment on key: %s", cp);
>   xfree(fp);
>   break;
>   }
> *** auth-rsa.c.orig Sun Feb  9 13:18:56 2003
> --- auth-rsa.c Sun Feb  9 13:21:39 2003
> ***************
> *** 153,159 ****
>   int
>   auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
>   {
> ! char line[8192], *file;
>   int allowed = 0;
>   u_int bits;
>   FILE *f;
> --- 153,159 ----
>   int
>   auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
>   {
> ! char line[8192], *file, *extpubkey;
>   int allowed = 0;
>   u_int bits;
>   FILE *f;
> ***************
> *** 164,169 ****
> --- 164,175 ----
>   /* Temporarily use the user's uid. */
>   temporarily_use_uid(pw);
>
> + /* log public key */
> +
> + extpubkey = BN_bn2hex(client_n);
> + log("Attempt RSA authentication for %s with pubkey %s", pw->pw_name,
extpubkey);
> + OPENSSL_free(extpubkey);
> +
>   /* The authorized keys. */
>   file = authorized_keys_file(pw);
>   debug("trying public RSA key file %s", file);
> ***************
> *** 249,254 ****
> --- 255,263 ----
>   log("Warning: %s, line %lu: keysize mismatch: "
>       "actual %d vs. announced %d.",
>       file, linenum, BN_num_bits(key->rsa->n), bits);
> +
> + /* log comment */
> + verbose("Comment on found key: %s", cp);
>
>   /* We have found the desired key. */
>   /*
>




More information about the openssh-unix-dev mailing list