sshd key comment logging

[Jim Knoble]

Circa 2008-06-24 22:13 dixit Joe Testa:

: > It doesn't support logging the comment field, but it does support
: > logging the key fingerprint, which uniquely identifies the key (which
: > the comment doesn't) but it's logged at level DEBUG1 not VERBOSE.
: > (See, eg auth2-pubkey.c and look for "Found matching").
: 
: Yep, I've seen it do this while playing around.
: 
: Even if an admin does enable that level of logging, its pretty hard to
: memorize the key fingerprints and their owners, especially for
: large/dynamic environments.

I think the idea is to look up the fingerprint rather than memorize it.
If you need to do it on the fly, it's not that hard to make a filter or
log postprocessor to do the dirty work.

: [...] (I wasn't sure from your response if you were receptive to my
: idea.  I'd like to know for sure if it has a chance of getting checked
: into the tree before I start working on it.)

I'm not an OpenSSH developer, but i'd guess you're better off spending
your time figuring out how to filter or postprocess your logs such that
your key fingerprints are looked up.  If you feel comfortable relying on
the key comments, then you could even look them up in the SSH public key
files as opposed to keeping a separate lookup table (although my offhand
preference would be the reverse, i.e., to keep the private and public
keys in a centrally administered database or LDAP directory somewhere
and build the authorized_keys files from the central location).

Good luck.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: 6F39C2CC  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+