This patch is against 3.0.2p1. It produces output like the first line in the example below for both v1 and v2 logins. Logging is turned on by sticking ``LogFingerprint yes'' in sshd_conf. It would be nice if something like this would make it into OpenSSH. Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found matching RSA1 key: dd:5f:1b:ed:2f:cd:a5:05:f6:d1:39:6b:d2:66:dc:2e Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Accepted rsa for josb from 1.2.3.4 port 1889 --- openssh-3.0.2p1.dist/auth-rsa.c Mon Aug 6 14:01:49 2001 +++ openssh-3.0.2p1/auth-rsa.c Tue Dec 4 14:14:06 2001 @@ -181,7 +181,7 @@ */ while (fgets(line, sizeof(line), f)) { char *cp; - char *options; + char *optionsp; linenum++; @@ -199,7 +199,7 @@ */ if (*cp < '0' || *cp > '9') { int quoted = 0; - options = cp; + optionsp = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ @@ -207,7 +207,7 @@ quoted = !quoted; } } else - options = NULL; + optionsp = NULL; /* Parse the key from the line. */ if (!auth_rsa_read_key(&cp, &bits, pk->e, pk->n)) { @@ -232,7 +232,7 @@ * If our options do not allow this key to be used, * do not send challenge. */ - if (!auth_parse_options(pw, options, file, linenum)) + if (!auth_parse_options(pw, optionsp, file, linenum)) continue; /* Perform the challenge-response dialog for this key. */ @@ -251,6 +251,15 @@ * otherwise continue searching. */ authenticated = 1; + if (options.log_fingerprint) { + Key *auth_key = key_new(KEY_RSA1); + auth_key->rsa->n = pk->n; + auth_key->rsa->e = pk->e; + log("Found matching %s key: %s", + key_type(auth_key), + key_fingerprint(auth_key, SSH_FP_MD5, SSH_FP_HEX)); + key_free(auth_key); + } break; } diff -ruN openssh-3.0.2p1.dist/auth2.c openssh-3.0.2p1/auth2.c --- openssh-3.0.2p1.dist/auth2.c Tue Nov 13 04:46:19 2001 +++ openssh-3.0.2p1/auth2.c Tue Dec 4 14:12:37 2001 @@ -690,8 +690,13 @@ found_key = 0; found = key_new(key->type); + if (options.log_fingerprint) + log("Find matching %s key: %s", + key_type(key), + key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX)); + while (fgets(line, sizeof(line), f)) { - char *cp, *options = NULL; + char *cp, *optionsp = NULL; linenum++; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -703,7 +708,7 @@ /* no key? check if there are options for this key */ int quoted = 0; debug2("user_key_allowed: check options: '%s'", cp); - options = cp; + optionsp = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ @@ -720,10 +725,14 @@ } } if (key_equal(found, key) && - auth_parse_options(pw, options, file, linenum) == 1) { + auth_parse_options(pw, optionsp, file, linenum) == 1) { found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); + if (options.log_fingerprint) + log("Found matching %s key: %s", + key_type(key), + key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX)); break; } } --- openssh-3.0.2p1.dist/servconf.c Tue Nov 13 05:03:15 2001 +++ openssh-3.0.2p1/servconf.c Tue Dec 4 12:37:39 2001 @@ -109,6 +109,7 @@ options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; + options->log_fingerprint = -1; } void @@ -229,6 +230,8 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->log_fingerprint == -1) + options->log_fingerprint = 0; } /* Keyword tokens. */ @@ -261,6 +264,7 @@ sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sLogFingerprint, sDeprecated } ServerOpCodes; @@ -334,6 +338,7 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, + { "logfingerprint", sLogFingerprint }, { NULL, 0 } }; @@ -858,6 +863,10 @@ case sClientAliveCountMax: intptr = &options->client_alive_count_max; goto parse_int; + + case sLogFingerprint: + intptr = &options->log_fingerprint; + goto parse_flag; case sDeprecated: log("%s line %d: Deprecated option %s", diff -ruN openssh-3.0.2p1.dist/servconf.h openssh-3.0.2p1/servconf.h --- openssh-3.0.2p1.dist/servconf.h Wed Sep 12 09:40:06 2001 +++ openssh-3.0.2p1/servconf.h Tue Dec 4 12:37:39 2001 @@ -129,6 +129,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int pam_authentication_via_kbd_int; + int log_fingerprint; } ServerOptions; Thanks, -- Jos Backus _/ _/_/_/ Santa Clara, CA _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ josb at cncdsl.com _/_/ _/_/_/ use Std::Disclaimer;