This patch is against 3.0.2p1. It produces output like the first line in the
example below for both v1 and v2 logins. Logging is turned on by sticking
``LogFingerprint yes'' in sshd_conf. It would be nice if something like
this
would make it into OpenSSH.
Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found
matching RSA1 key: dd:5f:1b:ed:2f:cd:a5:05:f6:d1:39:6b:d2:66:dc:2e
Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Accepted
rsa for josb from 1.2.3.4 port 1889
--- openssh-3.0.2p1.dist/auth-rsa.c Mon Aug 6 14:01:49 2001
+++ openssh-3.0.2p1/auth-rsa.c Tue Dec 4 14:14:06 2001
@@ -181,7 +181,7 @@
*/
while (fgets(line, sizeof(line), f)) {
char *cp;
- char *options;
+ char *optionsp;
linenum++;
@@ -199,7 +199,7 @@
*/
if (*cp < '0' || *cp > '9') {
int quoted = 0;
- options = cp;
+ optionsp = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp !=
'\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
@@ -207,7 +207,7 @@
quoted = !quoted;
}
} else
- options = NULL;
+ optionsp = NULL;
/* Parse the key from the line. */
if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) {
@@ -232,7 +232,7 @@
* If our options do not allow this key to be used,
* do not send challenge.
*/
- if (!auth_parse_options(pw, options, file, linenum))
+ if (!auth_parse_options(pw, optionsp, file, linenum))
continue;
/* Perform the challenge-response dialog for this key. */
@@ -251,6 +251,15 @@
* otherwise continue searching.
*/
authenticated = 1;
+ if (options.log_fingerprint) {
+ Key *auth_key = key_new(KEY_RSA1);
+ auth_key->rsa->n = pk->n;
+ auth_key->rsa->e = pk->e;
+ log("Found matching %s key: %s",
+ key_type(auth_key),
+ key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX));
+ key_free(auth_key);
+ }
break;
}
diff -ruN openssh-3.0.2p1.dist/auth2.c openssh-3.0.2p1/auth2.c
--- openssh-3.0.2p1.dist/auth2.c Tue Nov 13 04:46:19 2001
+++ openssh-3.0.2p1/auth2.c Tue Dec 4 14:12:37 2001
@@ -690,8 +690,13 @@
found_key = 0;
found = key_new(key->type);
+ if (options.log_fingerprint)
+ log("Find matching %s key: %s",
+ key_type(key),
+ key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
+
while (fgets(line, sizeof(line), f)) {
- char *cp, *options = NULL;
+ char *cp, *optionsp = NULL;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -703,7 +708,7 @@
/* no key? check if there are options for this key */
int quoted = 0;
debug2("user_key_allowed: check options: '%s'", cp);
- options = cp;
+ optionsp = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp !=
'\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
@@ -720,10 +725,14 @@
}
}
if (key_equal(found, key) &&
- auth_parse_options(pw, options, file, linenum) == 1) {
+ auth_parse_options(pw, optionsp, file, linenum) == 1) {
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
+ if (options.log_fingerprint)
+ log("Found matching %s key: %s",
+ key_type(key),
+ key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX));
break;
}
}
--- openssh-3.0.2p1.dist/servconf.c Tue Nov 13 05:03:15 2001
+++ openssh-3.0.2p1/servconf.c Tue Dec 4 12:37:39 2001
@@ -109,6 +109,7 @@
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+ options->log_fingerprint = -1;
}
void
@@ -229,6 +230,8 @@
}
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+ if (options->log_fingerprint == -1)
+ options->log_fingerprint = 0;
}
/* Keyword tokens. */
@@ -261,6 +264,7 @@
sBanner, sReverseMappingCheck, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sLogFingerprint,
sDeprecated
} ServerOpCodes;
@@ -334,6 +338,7 @@
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
+ { "logfingerprint", sLogFingerprint },
{ NULL, 0 }
};
@@ -858,6 +863,10 @@
case sClientAliveCountMax:
intptr = &options->client_alive_count_max;
goto parse_int;
+
+ case sLogFingerprint:
+ intptr = &options->log_fingerprint;
+ goto parse_flag;
case sDeprecated:
log("%s line %d: Deprecated option %s",
diff -ruN openssh-3.0.2p1.dist/servconf.h openssh-3.0.2p1/servconf.h
--- openssh-3.0.2p1.dist/servconf.h Wed Sep 12 09:40:06 2001
+++ openssh-3.0.2p1/servconf.h Tue Dec 4 12:37:39 2001
@@ -129,6 +129,7 @@
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int pam_authentication_via_kbd_int;
+ int log_fingerprint;
} ServerOptions;
Thanks,
--
Jos Backus _/ _/_/_/ Santa Clara, CA
_/ _/ _/
_/ _/_/_/
_/ _/ _/ _/
josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer;
