Loggin of authorized keys

Randy Zagar zagar at arlut.utexas.edu
Sun Sep 4 03:38:39 EST 2005 

This is a follow-up on a thread from last year requesting that openssh
indicate which authorized key was accepted during a login as opposed to
just logging that a key was accepted...

Here's the old message:

        It is possible for ~user/.ssh/authorized_keys to have multiple
        entries.  It would be quite helpful if openssh would enhance the
        log to indicate WHICH key was accepted, not just that a key was
        accepted.
        
        In other words, would you please modify:
        
         $TIMESTAMP $HOST sshd[$PID]: Accepted publickey for $USER from $IP port
        $PORT $PROTOCOL
        
        to add an indication (e.g., the comment field) as to which key was used:
        
         $TIMESTAMP $HOST sshd[$PID]: Accepted publickey ($COMMENT) for $USER from
        $IP port $PORT $PROTOCOL
        
        	--- Noel

I understand that this has come up before and has generally been denied
on the basis that the comment field is arbitrary user input that
shouldn't be trusted.

I agree, but...

I cannot stress strongly enough that this kind of auditing record is a
requirement for any system operating under CAPP and/or NISPOM auditing
guidelines.  These guidelines are required in security-sensitive
environments, and they both require that logins need to be tied to a
specific authorized user...  not just an unspecified user who happens to
be authorized.

Since we both agree that the comment field isn't trustworthy, I'd like
to suggest some alternate ways of dealing with this:

     1. Convert the $COMMENT field to Base64.  That would be safe...
     2. You could use the MD5/SHA checksum of the $COMMENT field, or
     3. Use the checksum of the public key itself

The only reason I'm writing today is because it didn't look like there
was a clear explanation of why this extra information is needed in the
audit log.  Hopefully, this provides a little more background.

So, is this something that we can move forward with or am I looking at
another rejected feature request?

-RZ

p.s.  Here are some reference documents 4 U...  

CAPP -		Controlled Access Protection Profile
		http://niap.nist.gov/cc-scheme/pp/PP_CAPP_V1.d.pdf

NISPOM -	National Industrial Security Program Operations Manual
		http://www.dss.mil/isec/nispom.pdf

More information about the openssh-unix-dev mailing list