PATCH] ssh-agent: Add key usage logging for unconstrained keys with session bindings
Damien Miller
djm at mindrot.org
Mon Dec 15 12:15:43 AEDT 2025
On Sun, 14 Dec 2025, Manon Goo wrote:
> Hi,
>
> I'd like to propose a patch (60 lines in a single location in
> ssh-agent.c ) that adds debug logging for signature requests made with
> unconstrained keys when session bindings are present.
>
> Motivation:
>
> Currently, when a key is loaded with destination constraints
> (ssh-add -h), the agent logs information about signing operations
> via debug_f("user=%s") and the detailed session binding chain
> via identity_permitted(). However, for unconstrained keys, this
> information is not logged even though the session bindings exist
>
> This creates a gap for users who want visibility into which hosts
> their keys are being used to authenticate to, without necessarily
> wanting to enforce restrictions. The use case is monitoring - being
> able to see in debug logs where keys are being used.
>
> In my case, I am writing a wrapper application that keeps a log of key
> usage. Having this debug output available for unconstrained keys would
> allow tracking authentication events.
>
> What the patch does:
>
> For unconstrained keys (ndest_constraints == 0) with active session
> bindings (nsession_ids > 0), the patch:
>
> 1. Attempts to parse the userauth request (same as done for
>constrained keys)
>
> 2. Logs debug_f("signing for user \"%s\" with unconstrained key " "%s
>%s", user, sshkey_type(id->key), fp)
>
> 3. Logs session binding details via debug3_f() - matching the style in
>identity_permitted()
>
> The patch does not change any behavior - it only adds logging. The
>existing constrained key code path remains unchanged.
>
> Example output (with -d):
>
> debug1: process_sign_request2: signing for user "tester" with
> unconstrained key RSA SHA256: XXXX
> debug3: process_sign_request2: session binding 0 AUTH, hostkey ED25519
> SHA256:XXXX
> debug3: process_sign_request2: hostkey in signature: ED25519
> SHA256:XXXX
Thanks for looking at this, I think this idea is fine but I have a
few comments:
1. We should be logging more stuff with logit() rather than debug() in
ssh-agent.c. A number of downstreams are running ssh-agent using socket
activation by default now, and in this configuration it's possible to
plumb user logs to somewhere visible. These would generally be lost at
debug() loglevel but not logit().
IMO it's worth reviewing the existing debug() calls to see which
should be made into logit() and/or finding places where useful
logging could be added now. This could be a separate patch.
2. These extra permission checks are starting to become unwieldy and
to make process_sign_request2() harder to read. I think they should
be factored out into a separate function, e.g.
int check_sign_permission(SocketEntry *e, struct identity *id,
struct sshbuf *data)
3. This function should handle the webauthn case, where it currently
calls check_websafe_message_contents() too, and combining all
these checks means that they can probably be simplified.
4. (This is more of a general observation.) The whole forwarding
permissions thing is much more powerful than we currently express
via the UI. There's plenty more that could be done here.
-d
More information about the openssh-unix-dev
mailing list