sshd key comment logging

Darren Tucker dtucker at zip.com.au
Mon Jun 23 15:23:50 EST 2008


On Sun, Jun 22, 2008 at 9:42 PM, Joe Testa <jtesta at positronsecurity.com> wrote:
>   I admin a box that has Subversion users authenticate with public keys
> to a restricted 'svnuser' account.  The comment field of all the keys
> describe who they belong to (it has their usernames), but unfortunately,
> sshd does not log this when a user successfully authenticates:
>
>   Jun 21 08:18:22 localhost sshd[23636]: Accepted publickey for svnuser
> from x.x.x.x port 2065 ssh2
>   Jun 21 08:18:24 localhost sshd[23668]: Accepted publickey for svnuser
> from y.y.y.y port 2067 ssh2
>
>   The above two logins were for two distinct keys with distinct comment
> fields.  However, as you can see, the logs they generate are
> indistinguishable; I can't easily tell what two users these are.  I've
> tested this against OpenSSH v5.0 with LogLevel set to VERBOSE.
>
>  Am I correct in that sshd does not support logging of the key's
> comment field?

It doesn't support logging the comment field, but it does support
logging the key fingerprint, which uniquely identifies the key (which
the comment doesn't) but it's logged at level DEBUG1 not VERBOSE.
(See, eg auth2-pubkey.c and look for "Found matching").

Also, from memory the message is logged by the privsep slave, so in
order for it to work you need a /dev/log inside the privsep chroot for
it to work.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list