--On 8 October 2011 15:05:28 +0100 Alex Bligh <alex at alex.org.uk> wrote:
> Attached is a patch which adds a log= directive to authorized_keys. The
> text
> in the log="text" directive is appended to the log line, so you
can easily
> tell which key is matched.
Patch inline below - the list stripped it
--
Alex Bligh
diff --git a/auth-options.c b/auth-options.c
index 86c2317..334ec87 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -56,6 +56,9 @@ int forced_tun_device = -1;
/* "principals=" option. */
char *authorized_principals = NULL;
+/* "log=" option */
+char *log_auth_option = NULL;
+
extern ServerOptions options;
void
@@ -81,6 +84,10 @@ auth_clear_options(void)
xfree(authorized_principals);
authorized_principals = NULL;
}
+ if (log_auth_option) {
+ xfree(log_auth_option);
+ log_auth_option = NULL;
+ }
forced_tun_device = -1;
channel_clear_permitted_opens();
}
@@ -206,6 +213,35 @@ auth_parse_options(struct passwd *pw, char *opts, char
*file, u_long linenum)
opts++;
goto next_option;
}
+ cp = "log=\"";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ opts += strlen(cp);
+ log_auth_option = xmalloc(strlen(opts) + 1);
+ i = 0;
+ while (*opts) {
+ if (*opts == '"')
+ break;
+ if (*opts == '\\' && opts[1] == '"') {
+ opts += 2;
+ log_auth_option[i++] = '"';
+ continue;
+ }
+ log_auth_option[i++] = *opts++;
+ }
+ if (!*opts) {
+ debug("%.100s, line %lu: missing end quote",
+ file, linenum);
+ auth_debug_add("%.100s, line %lu: missing end quote",
+ file, linenum);
+ xfree(log_auth_option);
+ log_auth_option = NULL;
+ goto bad_option;
+ }
+ log_auth_option[i] = '\0';
+ auth_debug_add("Log auth option: %.900s", log_auth_option);
+ opts++;
+ goto next_option;
+ }
cp = "environment=\"";
if (options.permit_user_env &&
strncasecmp(opts, cp, strlen(cp)) == 0) {
diff --git a/auth-options.h b/auth-options.h
index 7455c94..d895849 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -30,6 +30,7 @@ extern int no_user_rc;
extern char *forced_command;
extern struct envstring *custom_environment;
extern int forced_tun_device;
+extern char *log_auth_option;
extern int key_is_cert_authority;
extern char *authorized_principals;
diff --git a/auth.c b/auth.c
index d3663a4..9bb20fc 100644
--- a/auth.c
+++ b/auth.c
@@ -199,14 +199,16 @@ auth_log(Authctxt *authctxt, int authenticated, char
*method, char *info)
else
authmsg = authenticated ? "Accepted" : "Failed";
- authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authlog("%s %s for %s%.100s from %.200s port %d%s%s%s",
authmsg,
method,
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
- info);
+ info,
+ log_auth_option?" ":"",
+ log_auth_option?log_auth_option:"");
}
/*
diff --git a/sshd.8 b/sshd.8
index 5c40007..04e0c85 100644
--- a/sshd.8
+++ b/sshd.8
@@ -518,6 +518,8 @@ Also note that this command may be superseded by either a
.Xr sshd_config 5
.Cm ForceCommand
directive or a command embedded in a certificate.
+.It Cm log="text"
+Causes the text specified to be appended to authentication log messages.
.It Cm environment="NAME=value"
Specifies that the string is to be added to the environment when
logging in using this key.