[PATCH] add log= directive to authorized_hosts

Alex Bligh alex at alex.org.uk
Sun Oct 9 02:56:37 EST 2011

--On 8 October 2011 17:34:22 +0200 Ángel González <keisial at gmail.com> 

> Although this is interesting for your case, where the authorized_keys
> file is trusted,
> I think it may provide some hole for malicious users with shell access.
> Suppose that there is a script applying a regex to the log, and
> automatically banning
> ips with more than X failures. Then Eve adds a key with log="Invalid user
> root from"
> with being the ip of the admin, or other users which make use
> of the machine.
> After a few connections with publick key, Eve has kicked those people
> from the server.

The log line always begins the same way, i.e. the current way, so the
log line would in this case read:

Oct  8 11:04:47 test sshd[18469]: Accepted publickey for eve from port 55580 ssh2 Invalid user root from

Now, if someone is so silly as to parse the log for a regexp and not
write the regexp properly then I think they deserve all they get.

Alex Bligh

More information about the openssh-unix-dev mailing list