public key authentication -- log invalid keys

TheGezer openssh-unix-dev at
Tue Apr 29 05:43:12 EST 2014

OK so i've been doing some digging and a bit more testing.  seems i do
get an error but only in verbose loglevel.
but I have to increase LogLevel to verbose to only get
" [sshd] Failed publickey for root "

undeterred i went digging in the source
it looks like auth2-pubkey.c   has function "user_key_allowed" which in
turn calls "user_key_allowed2" which calls "check_authkeys_file"
so there is a line for key not found, but i'm not getting this with
LogLevel = VERBOSE
   418     if (!found_key)
   419         debug2("key not found");

so with LogLevel DEBUG2 and this gives me much much more info including
"key not found"

OK so far so good, the logging I requested is there but at debug2 level,
or more generically at verbose level.

with more and more bruteforce toys being available online I do wonder if
this kind of thing really ought to be at a higher volume to alert that
unknown keys are being used on systems.  with lost/stolen keys I would
imagine most people would delete and recreate rather than making use of
RevokedKeys, and so not know if folks are silently trying to connect to
their hosts.
I do appreciate though that many machines will try their public keys
first and thus possibly create unnecessary noise in logs.

is it worth making this a config file option that could be enabled /
disabled on sshd start ?
or am i alone in this line of thinking and should just patch my source

please let me know your thoughts,

More information about the openssh-unix-dev mailing list