This may seem convenient, but it's open to abuse as anyone can put any
comment they like on the key they use
Tim McGarry
----- Original Message -----
From: "Axel Dunkel" <ad at Dunkel.de>
To: <openssh-unix-dev at mindrot.org>
Sent: Sunday, February 09, 2003 8:13 PM
Subject: Logging of comments on keys
> Hi,
>
> during our usual work I found it anoying that one can not easily see
> who logged in using public key authentication. In newer versions of
> SSH the fingerprint of the public key gets logged, but who can tell
> which key belongs to whom from his head?
>
> So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment
> field on the keys in the authorized_keys[2] files get logged to make
> life easier. Also, the public key of all public-key-login-*attempts*
> are logged as well.
>
> I include the patch (only some lines of code). I would appreciate
> comments on this matter!
>
> Thanks,
> Axel Dunkel
>
>
> ---
> Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
> Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad at Dunkel.de
>
>
>
>
----------------------------------------------------------------------------
----
> *** auth2-pubkey.c.orig Sun Feb 9 12:48:09 2003
> --- auth2-pubkey.c Sun Feb 9 19:57:09 2003
> ***************
> *** 183,188 ****
> --- 183,193 ----
>
> debug("trying public key file %s", file);
>
> + /* log public key */
> +
> + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
> + verbose("Attempt public key authentication for %s with %s key:
%s",
pw->pw_name, key_type(key), fp);> +
> /* Fail quietly if file does not exist */
> if (stat(file, &st) < 0) {
> /* Restore the privileged uid. */
> ***************
> *** 244,249 ****
> --- 249,255 ----
> fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
> verbose("Found matching %s key: %s",
> key_type(found), fp);
> + verbose("Comment on key: %s", cp);
> xfree(fp);
> break;
> }
> *** auth-rsa.c.orig Sun Feb 9 13:18:56 2003
> --- auth-rsa.c Sun Feb 9 13:21:39 2003
> ***************
> *** 153,159 ****
> int
> auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
> {
> ! char line[8192], *file;
> int allowed = 0;
> u_int bits;
> FILE *f;
> --- 153,159 ----
> int
> auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
> {
> ! char line[8192], *file, *extpubkey;
> int allowed = 0;
> u_int bits;
> FILE *f;
> ***************
> *** 164,169 ****
> --- 164,175 ----
> /* Temporarily use the user's uid. */
> temporarily_use_uid(pw);
>
> + /* log public key */
> +
> + extpubkey = BN_bn2hex(client_n);
> + log("Attempt RSA authentication for %s with pubkey %s",
pw->pw_name,
extpubkey);> + OPENSSL_free(extpubkey);
> +
> /* The authorized keys. */
> file = authorized_keys_file(pw);
> debug("trying public RSA key file %s", file);
> ***************
> *** 249,254 ****
> --- 255,263 ----
> log("Warning: %s, line %lu: keysize mismatch: "
> "actual %d vs. announced %d.",
> file, linenum, BN_num_bits(key->rsa->n), bits);
> +
> + /* log comment */
> + verbose("Comment on found key: %s", cp);
>
> /* We have found the desired key. */
> /*
>