[Bug 1282] Log which key used for authentication

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Feb 10 02:19:51 EST 2007


           Summary: Log which key used for authentication
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: low-hanging-fruit
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: bbeaudoin at peer1.com

In INFO mode, the number of the key in .ssh/authorized_keys isn't
logged (though sshd does log the fact a public key was used for
authentication).  The same issue occurs when a valid key is used from
an invalid host (the system logs that a valid key was presented, but
not which one).

The man page states that DEBUG logging level is not recommended for
privacy reasons; there is a real need to audit connections based on the
keys used from which hosts.  Could this logging feature be moved from
DEBUG to INFO to alieviate audit concerns without the additional

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list