Patch logging comment field of authorized key being used

Tue May 13 02:07:28 EST 2003

In order to comply with our internal security guidelines, we created a
patch on top of openssh-3.6.1p2. With that patch, if sshd sets up a
session based on key authentication, it logs to syslog which one of the
keys in authorized_keys or authorized_keys2 is actually being used. The
patch logs the key comment (typically the key owner's email address) as
well as the name of the file containing the key. The original code
preserves similar information only for protocol 2, and it does so only
in verbose/debug mode, and only in the form of line number/key
fingerprint.

The patch is attached as patch-z.txt. It is pretty trivial, but
probably useful for many others, too.

WE'D LIKE TO SUGGEST THAT THE PATCH BE INCORPORATED INTO THE OpenSSH
SOURCE TREE.

-- 
Michael Niksch                     /Zurich/IBM @ IBMCH
IBM Zurich Research Laboratory     nik at zurich.ibm.com
Saeumerstrasse 4                   http://www.zurich.ibm.com/~nik/
CH-8803 Rueschlikon / Switzerland  P: +41-1-724-8913 F: +41-1-724-8080
-------------- next part --------------
*** auth-rsa.c.orig	Tue Jun 11 17:47:42 2002
--- auth-rsa.c	Thu May  8 14:43:33 2003
***************
*** 257,266 ****
--- 257,270 ----
  		 */
  		if (!auth_parse_options(pw, options, file, linenum))
  			continue;

  		/* break out, this key is allowed */
+ 		/* Log matching key's comment after stripping '\n'. */
+ 		if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) ) 
+ 			cp[strlen(cp)-1] = '\0';
+ 		log("Authorized key '%s' in %s", cp, file);
  		allowed = 1;
  		break;
  	}

  	/* Restore the privileged uid. */
*** auth2-pubkey.c.orig	Thu Jun  6 22:27:56 2002
--- auth2-pubkey.c	Thu May  8 17:08:43 2003
***************
*** 237,246 ****
--- 237,253 ----
  			}
  		}
  		if (key_equal(found, key) &&
  		    auth_parse_options(pw, options, file, linenum) == 1) {
  			found_key = 1;
+ 			/* Skip remaining whitespace. */
+ 			for (; *cp == ' ' || *cp == '\t'; cp++)
+ 				;
+ 			/* Log matching key's comment after stripping '\n'. */
+ 			if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) )
+ 				cp[strlen(cp)-1] = '\0';
+ 			log("Authorized key '%s' in %s", cp, file);
  			debug("matching key found: file %s, line %lu",
  			    file, linenum);
  			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
  			verbose("Found matching %s key: %s",
  			    key_type(found), fp);