public key authentication -- log invalid keys

Scott Duckworth sduckwo at
Tue Apr 29 06:13:53 EST 2014

On Fri, Apr 25, 2014 at 1:07 PM, TheGezer <openssh-unix-dev at>wrote:

> On 04/25/2014 05:41 PM, Eldon Koyle wrote:
> > I think you could end up with a lot of false positives doing this.
> yup
> > I know I have quite a few keys that my client will try before falling
> > back to password authentication.  You would need to have enough logic in
> > your script to see if the authentication succeeds at some point or have
> > a very high limit.
> >
> > It might be more interesting to make a database of bad public keys or
> interestingly openssh *does* log revoked keys
> > fingerprints and block any addresses that attempt one of them (assuming
> > you can get openssh to log the failed keys somehow).
> >
> if only i knew how to log the failed keys :)

If sshd doesn't log what you need, perhaps you can use
AuthorizedKeysCommand with the akcenv patch [] to generate the logs for
you.  The akcenv patch passes the key and the fingerprint to the
AuthorizedKeysCommand process in environment variables, so you could make a
script that searches for the matching key in ~/.ssh/authorized_keys (or
some other source) and write to a log (or update your firewall directly) if
it's not found.

The akcenv patch was first proposed on this mailing list last month, ending
up with what seemed like a general consensus of being a good thing, but
seems to have fizzled out in the bug tracker [].  If you find it of use
for your scenario (which is very different than the use case it was
designed for) then please update that bug so that the maintainers know it's
useful for multiple things.

More information about the openssh-unix-dev mailing list