On Tue, 1 Feb 2000, Phil Karn wrote:
> Hi. To compartmentalize things a bit (e.g., to help limit the damage
> should one of my machines be hacked and my private RSA keys stolen) I
> use different RSA key pairs on my different client machines.
>
> So it occurs to me that it would be nice if ssh could log which key
> was used when logging in to a particular account that has more than
> one entry in .ssh/authorized_keys. Right now it simply says "Accepted
> rsa for karn from <blah blah>" without saying which key was
used.
>
> You obviously don't want to log the whole public key, just the comment
> field from the appropriate line in .ssh/authorized_keys would do.
I don't think the comment is sent as part of the RSA authentication
dialog, though it may be possible to log the fingerprint of the client
user or host key.
Attached is a quick and very dirty patch which does just that.
Regards,
Damien
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
-------------- next part --------------
? ssh
? sshd
? configure
? config.h.in
? config.log
? config.h
? config.cache
? Makefile
? random.h
? random.c
? config.status
? ssh-add
? ssh-keygen
? scp
? ssh-agent
? scp.1.out
? ssh-add.1.out
? ssh-agent.1.out
? ssh-keygen.1.out
? ssh.1.out
? sshd.8.out
? sshd_config.out
? ssh_config.out
Index: auth-rh-rsa.c
==================================================================RCS file:
/var/cvs/openssh/auth-rh-rsa.c,v
retrieving revision 1.7
diff -u -r1.7 auth-rh-rsa.c
--- auth-rh-rsa.c 1999/11/25 00:54:57 1.7
+++ auth-rh-rsa.c 2000/02/02 09:28:51
@@ -22,7 +22,11 @@
#include "xmalloc.h"
#include "uidswap.h"
#include "servconf.h"
+#include "fingerprint.h"
+/* Client host fingerprint from rhosts RSA authentication. */
+extern char *rhost_fingerprint;
+
/*
* Tries to authenticate the user using the .rhosts file and the host using
* its host key. Returns true if authentication succeeds.
@@ -103,5 +107,10 @@
verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s
on %.700s.",
pw->pw_name, client_user, canonical_hostname);
packet_send_debug("Rhosts with RSA host authentication accepted.");
+
+ /* Take a copy of the rhost's key's fingerprint */
+ rhost_fingerprint = xstrdup(fingerprint(client_host_key_e,
+ client_host_key_n));
+
return 1;
}
Index: auth-rsa.c
==================================================================RCS file:
/var/cvs/openssh/auth-rsa.c,v
retrieving revision 1.12
diff -u -r1.12 auth-rsa.c
--- auth-rsa.c 2000/01/20 11:44:09 1.12
+++ auth-rsa.c 2000/02/02 09:28:53
@@ -25,6 +25,7 @@
#include "mpaux.h"
#include "uidswap.h"
#include "servconf.h"
+#include "fingerprint.h"
#ifdef HAVE_OPENSSL
#include <openssl/rsa.h>
@@ -43,6 +44,9 @@
extern char *forced_command;
extern struct envstring *custom_environment;
+/* Client fingerprint from RSA authentication. */
+extern char *client_fingerprint;
+
/*
* Session identifier that is used to bind key exchange and authentication
* responses to a particular session.
@@ -286,6 +290,9 @@
*/
authenticated = 1;
+ /* Take a copy of the client key's fingerprint */
+ client_fingerprint = xstrdup(fingerprint(e, n));
+
/* RSA part of authentication was accepted. Now process the options. */
if (options) {
while (*options && *options != ' ' && *options !=
'\t') {
Index: sshd.c
==================================================================RCS file:
/var/cvs/openssh/sshd.c,v
retrieving revision 1.55
diff -u -r1.55 sshd.c
--- sshd.c 2000/01/26 00:07:22 1.55
+++ sshd.c 2000/02/02 09:29:04
@@ -101,6 +101,12 @@
/* RSA authentication "environment=" options. */
struct envstring *custom_environment = NULL;
+/* Client fingerprint from RSA authentication. */
+char *client_fingerprint = NULL;
+
+/* Client host fingerprint from rhosts RSA authentication. */
+char *rhost_fingerprint = NULL;
+
/* Session id for the current session. */
unsigned char session_id[16];
@@ -1504,11 +1510,15 @@
type == SSH_CMSG_AUTH_PASSWORD)
authlog = log;
- authlog("%s %s for %.200s from %.200s port %d%s",
+ authlog("%s %s for %.200s %s%sfrom %.200s %s%sport %d%s",
authenticated ? "Accepted" : "Failed",
get_authname(type),
pw->pw_uid == 0 ? "ROOT" : pw->pw_name,
+ client_fingerprint != NULL?client_fingerprint:"",
+ client_fingerprint != NULL?" ":"",
get_remote_ipaddr(),
+ rhost_fingerprint != NULL?rhost_fingerprint:"",
+ rhost_fingerprint != NULL?" ":"",
get_remote_port(),
user);