bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-12 11:31 UTC
[Bug 1282] Log which key used for authentication
http://bugzilla.mindrot.org/show_bug.cgi?id=1282
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> 2007-06-12
21:30:58 ---
Yes, I just reverified this - the fingerprint is definitely logged at
Loglevel=verbose
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-22 18:07 UTC
[Bug 1282] Log which key used for authentication
http://bugzilla.mindrot.org/show_bug.cgi?id=1282
Brian Beaudoin <bbeaudoin at peer1.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |
--- Comment #3 from Brian Beaudoin <bbeaudoin at peer1.com> 2007-06-23
04:06:55 ---
Unfortunately LogLevel VERBOSE logs the fingerprint of the private key,
not the public key. If we don't have the private key that is being
abused, we still don't know which key is being abused.
LogLevel DEBUG prints which line the public key is on, but not the
fingerprint of the public key itself. If the order of this file is
changed, we still wouldn't know which key to remove from the server.
The actual solution would be logging the fingerprint of the PUBLIC key.
Then if the private key is abused, we can revoke the corresponding
public key in the "authorized_keys" file.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-23 00:03 UTC
[Bug 1282] Log which key used for authentication
http://bugzilla.mindrot.org/show_bug.cgi?id=1282
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Keywords|low-hanging-fruit |
Resolution| |WORKSFORME
--- Comment #4 from Damien Miller <djm at mindrot.org> 2007-06-23
10:03:35 ---
It *is* the public key fingerprint that is logged (it has to be, public
key authentication would be completely broken security-wise if the
server got to see the private key).
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-23 20:23 UTC
[Bug 1282] Log which key used for authentication
http://bugzilla.mindrot.org/show_bug.cgi?id=1282 --- Comment #5 from Brian Beaudoin <bbeaudoin at peer1.com> 2007-06-24 06:23:42 --- The private key fingerprint is *NOT* the private key (it is an MD5 hash). Anyway, that's neither here nor there. I've confirmed it is the public key fingerprint that is being logged; there was some confusion about *which* fingerprint "puttygen" was displaying when a private key is opened (openssl dsa will show the proper private key fingerprint and ssh-keygen -l works correctly on public keys). -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 1282] Log which key used for authentication
- [Bug 1282] New: SIGSEGV on loading tables
- [Bug 2666] New: Ability to specify minimum RSA key size for user keys
- [Bug 468] There is no real documentation for knowing how to configure the kernel for iptables
- 0-client_t: null client [Invalid argument] & high CPU usage (Gluster 3.12)