[PATCH] add log= directive to authorized_hosts
keisial at gmail.com
Sun Oct 9 02:34:22 EST 2011
Alex Bligh wrote:
> Attached is a patch which adds a log= directive to authorized_keys.
> The text
> in the log="text" directive is appended to the log line, so you can
> tell which key is matched.
Note: the list has stripped the patch.
> produces a log line output like
> Oct 8 11:04:47 test sshd: Accepted publickey for testuser from
> 10.11.12.13 port 55580 ssh2 hello world!
> If this patch is useful, I am happy to work on that bit.
Although this is interesting for your case, where the authorized_keys
file is trusted,
I think it may provide some hole for malicious users with shell access.
Suppose that there is a script applying a regex to the log, and
ips with more than X failures. Then Eve adds a key with log="Invalid
user root from 192.168.1.1"
with 192.168.1.1 being the ip of the admin, or other users which make
use of the machine.
After a few connections with publick key, Eve has kicked those people
from the server.
More information about the openssh-unix-dev