sshd key comment logging

Joe Testa jtesta at positronsecurity.com
Wed Jun 25 12:13:03 EST 2008


> It doesn't support logging the comment field, but it does support
> logging the key fingerprint, which uniquely identifies the key (which
> the comment doesn't) but it's logged at level DEBUG1 not VERBOSE.
> (See, eg auth2-pubkey.c and look for "Found matching").

Yep, I've seen it do this while playing around.

Even if an admin does enable that level of logging, its pretty hard to
memorize the key fingerprints and their owners, especially for
large/dynamic environments.  I understand that the key comment is not
necessarily unique, but in my situation I've made them unique for the
purposes of management (so it is clear which key belongs to whom when I
need to revoke access), and so logging the comment would restore meaning
to log entry.  I think it is plausible that there are many installations
that do tunneling for Subversion and/or database services over a single
system account to warrant this feature.  What do you think?  (I wasn't
sure from your response if you were receptive to my idea.  I'd like to
know for sure if it has a chance of getting checked into the tree before
I start working on it.)

	Thanks!
	- Joe

-- 
Joseph S. Testa II | Senior Security Consultant
Positron Security, LLC.
http://www.positronsecurity.com

Phone: (585) 643-5900
AIM / Skype:  TheRealJoeTesta




More information about the openssh-unix-dev mailing list