LogLevel INFO shows few details for Certificate invalid: not yet valid / expired

Lars Noodén lars.nooden at gmx.com
Thu May 22 00:06:21 AEST 2025 

On 4/5/25 15:01, Lars Noodén wrote:
> I notice that when using log level INFO it seems sshd(8) provides very 
> little information about failed SSH certificate log in attempts:
> 
> Apr  5 14:44:41 server sshd-session[51695]: error: Certificate invalid: 
> not yet valid
> 
> Apr  5 14:45:31 server sshd-session[88953]: error: Certificate invalid: 
> expired
> 
> Likewise for invalid principals:
> 
> Apr  5 14:46:56 server sshd-session[66692]: error: Certificate invalid: 
> name is not a listed principal
> 
> Is that on purpose or is there a recommended practice to note the 
> account, principal, or certificate used in failed attempts?
> 
> Having a valid principal + certificate but from an invalid source 
> address provides more information in the log, but it is split into two 
> lines:
> 
> Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication tried 
> for lars with valid certificate but not from a permitted source address 
> (10.11.9.65).
> Apr  5 14:57:47 server sshd-session[78381]: error: Refused by 
> certificate options
> 
> Thanks,
> Lars

Apologies for the timing of the first message.

As a follow up, it would save a lot of detective work with the logs if, 
when specific certificate is part of the problem, to include the 
certificate's id and serial number in the log message.  I'm not sure of 
what the best punctuation might be or if there is already an established 
practice for annotating all that.  But here is an illustration of how it 
could be:

	Apr  5 14:44:41 server sshd-session[51695]: error:
	Certificate invalid: not yet valid, id=abcdefg serial=23456

and

	Apr  5 14:45:31 server sshd-session[88953]: error:
	Certificate invalid: expired, id=abcdefg serial=23456
	date=2025-04-02T12:45:47

and

	Apr  5 14:46:56 server sshd-session[66692]: error:
	Certificate invalid: name is not a listed principal,
	id=abcdefg serial=23456 name=someone

Perhaps for all those the reason variable in sshkey.c would be the place 
to append the id and serial number.

When authentication is refused by certificate options, having the 
information all in a single log entry would help:

	Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication
	tried for lars with valid certificate but not from a permitted
	source address (10.11.9.65).  error: Refused by certificate
	options, id=abcdefg serial=23456

That example is a long line, but the combination would save a lot of 
effort otherwise spent trying to track down and connect separate lines, 
especially when the log is being filled quickly by bot probes.

/Lars

More information about the openssh-unix-dev mailing list