bugzilla-daemon at mindrot.org
2013-Mar-24 21:46 UTC
[Bug 2082] New: Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Bug ID: 2082 Summary: Please add pubkey fingerprint to authentication log message Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: michael at mgeb.org Hi all, As a pubkey is effectively a multiplexing of multiple sysadmins on a single user it would be very nice to have the pubkey fingerprint written per default in the authentication log line. Most of the time this is the reason pubkeys are forbidden for root, as it's not clear who logged in. There where patches for this at various companies though i've never seen them beyond the log lines which included the pubkey fingerprint. Michael -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-25 00:07 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- It's already there, you just need to set LogLevel=verbose. See auth2-pubkey.c: verbose("Found matching %s key: %s", key_type(found), fp); $ sudo /usr/local/sbin/sshd -De -p 2022 -o loglevel=verbose Found matching RSA key: [fingerprint] Accepted publickey for dtucker from 127.0.0.1 port 43578 ssh2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Mar-25 10:01 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 --- Comment #2 from Michael Gebetsroither <michael at mgeb.org> --- Yes i know, though would it be possible to have the pubkey fingerprint on the same log line eg. like username [ssh-pubkey fingerprint] It's a bit awkward to have to parse multiple lines including keeping context (the pid) to see if a user possible logged in or not :/ (and most scripts just do it wrong). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-12 14:04 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Gabor K Horvath <gahorvath at npsh.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gahorvath at npsh.hu --- Comment #3 from Gabor K Horvath <gahorvath at npsh.hu> --- (In reply to comment #2)> It's a bit awkward to have to parse multiple lines including keeping > context (the pid) to see if a user possible logged in or not :/ (and > most scripts just do it wrong).I have to agree. The fact that it's a multi line log entry makes it more difficult to parse. This is a concern for everyone doing log analysis (with a SIEM for example). If I turn on the verbose option, I break the existing parsers for openSSH logs. All those are usually single line events. This is a multi-line event. Besides using the verbose option makes sshd a lot more chatty, having the key fingerprint on the log in line would be a lot nicer. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-29 07:55 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Steffen Weber <steffen.weber at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |steffen.weber at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jul-12 01:06 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution|--- |FIXED Blocks| |2076 --- Comment #4 from Damien Miller <djm at mindrot.org> --- As of openssh-6.3 it will look like this: Jul 12 11:04:02 host sshd[1409]: Accepted publickey for djm from 172.16.32.11 port 41228 ssh2: RSA 79:fb:ff:ea:15:56:f7:03:b5:4a:e1:04:e2:79:84:ac There is a bit more information printed for certificates too. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:10 UTC
[Bug 2082] Please add pubkey fingerprint to authentication log message
https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.