[PATCH] Log source of keys when using AuthorizedKeysCommand

Robert Jennings robert.jennings at canonical.com
Fri Feb 22 03:05:27 AEDT 2019

This is my first patch to openssh and I hope that I've approached
this well.

When using the AuthorizedKeysCommand the ssh daemon does not log the
source (local disk or AuthorizedKeysCommand) for the accepted key.
This patch adds a LOG_INFO level message when a key is matched from
the command so that users auditing their systems will know how the
key was injected.

Robert Jennings

 auth2-pubkey.c |    3 +++
 1 file changed, 3 insertions(+)

Index: b/auth2-pubkey.c
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -975,6 +975,9 @@ user_key_command_allowed2(struct ssh *ss
 	/* Read completed successfully */
 	found_key = ok;
+	if (ok)
+		logit("%s: Key for %s found via AuthorizedKeysCommand: %s",
+		    __func__, user_pw->pw_name, format_key(key));
 	if (f != NULL)

More information about the openssh-unix-dev mailing list