openssh bugs - Mar 2013 - [Bug 2082] New: Please add pubkey fingerprint to authentication log message

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

            Bug ID: 2082
           Summary: Please add pubkey fingerprint to authentication log
                    message
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: michael at mgeb.org

Hi all,

As a pubkey is effectively a multiplexing of multiple sysadmins on a
single user it would be very nice to have the pubkey fingerprint
written per default in the authentication log line.

Most of the time this is the reason pubkeys are forbidden for root, as
it's not clear who logged in.

There where patches for this at various companies though i've never
seen them beyond the log lines which included the pubkey fingerprint.

Michael

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
It's already there, you just need to set LogLevel=verbose.  See
auth2-pubkey.c:

                        verbose("Found matching %s key: %s",
                            key_type(found), fp);


$ sudo /usr/local/sbin/sshd -De -p 2022 -o loglevel=verbose
Found matching RSA key: [fingerprint]
Accepted publickey for dtucker from 127.0.0.1 port 43578 ssh2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

--- Comment #2 from Michael Gebetsroither <michael at mgeb.org> ---
Yes i know, though would it be possible to have the pubkey fingerprint
on the same log line

eg. like username [ssh-pubkey fingerprint]

It's a bit awkward to have to parse multiple lines including keeping
context (the pid) to see if a user possible logged in or not :/ (and
most scripts just do it wrong).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

Gabor K Horvath <gahorvath at npsh.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gahorvath at npsh.hu

--- Comment #3 from Gabor K Horvath <gahorvath at npsh.hu> ---
(In reply to comment #2)
> It's a bit awkward to have to parse multiple lines including keeping
> context (the pid) to see if a user possible logged in or not :/ (and
> most scripts just do it wrong).
I have to agree.

The fact that it's a multi line log entry makes it more difficult to
parse. This is a concern for everyone doing log analysis (with a SIEM
for example).
If I turn on the verbose option, I break the existing parsers for
openSSH logs. All those are usually single line events. This is a
multi-line event.
Besides using the verbose option makes sshd a lot more chatty, having
the key fingerprint on the log in line would be a lot nicer.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

Steffen Weber <steffen.weber at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |steffen.weber at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
             Blocks|                            |2076

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
As of openssh-6.3 it will look like this:

Jul 12 11:04:02 host sshd[1409]: Accepted publickey for djm from
172.16.32.11 port 41228 ssh2: RSA
79:fb:ff:ea:15:56:f7:03:b5:4a:e1:04:e2:79:84:ac

There is a bit more information printed for certificates too.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2082

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.