Logging authorized key info

Frank Mohr f_mohr at yahoo.de
Fri Sep 28 03:35:16 EST 2001


Peter W wrote:
> 
> On Thu, Sep 27, 2001 at 12:27:23PM -0400, Nicolas Williams wrote:
> 
> > The key name field from the authorized_keys entry (or, missing that, the
> > public key fingerprint) should be logged.
> 
> Do you mean the comment field? Since that's user-supplied, is there any
> concern about mischievous values? A hex-encoded fingerprint value on the
> other hand would always be safe/predictable & relatively short.
> 

It's not in all cases user supplied - On our servers we use a nightly 
root cron job to fill the authorized_keys files from an LDAP server and 
set the comment field to unique values. The authorized_keys is only
writable 
for root.

I've patched the server to log that comment field to syslog and to set
an
environment variable (SSH_ORIGINAL_USER) to that value (I use that
variable
for a command="" started relay software)

I still have to split my patch file into logical pieces 
(logging, AIX SRC and some data type fixes) .. 
I'll post it after my holidays.

Nevertheless an additional fingerprint log would be nice.
(not only to give something new to our "security auditing department"
;-)

Frank



More information about the openssh-unix-dev mailing list