[PATCH] add log= directive to authorized_hosts

Ángel González keisial at gmail.com
Sun Oct 9 02:34:22 EST 2011

Alex Bligh wrote:
> Attached is a patch which adds a log= directive to authorized_keys. 
> The text
> in the log="text" directive is appended to the log line, so you can 
> easily
> tell which key is matched.
Note: the list has stripped the patch.

> produces a log line output like
> Oct  8 11:04:47 test sshd[18469]: Accepted publickey for testuser from 
> port 55580 ssh2 hello world!
> If this patch is useful, I am happy to work on that bit.

Although this is interesting for your case, where the authorized_keys 
file is trusted,
I think it may provide some hole for malicious users with shell access.
Suppose that there is a script applying a regex to the log, and 
automatically banning
ips with more than X failures. Then Eve adds a key with log="Invalid 
user root from"
with being the ip of the admin, or other users which make 
use of the machine.
After a few connections with publick key, Eve has kicked those people 
from the server.

More information about the openssh-unix-dev mailing list