openssh unix dev - Feb 2003 - Logging of comments on keys

Hi,

during our usual work I found it anoying that one can not easily see 
who logged in using public key authentication. In newer versions of 
SSH the fingerprint of the public key gets logged, but who can tell 
which key belongs to whom from his head?

So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment 
field on the keys in the authorized_keys[2] files get logged to make 
life easier. Also, the public key of all public-key-login-*attempts* 
are logged as well.

I include the patch (only some lines of code). I would appreciate 
comments on this matter!

Thanks,
Axel Dunkel


---
Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad at Dunkel.de



-------------- next part --------------
*** auth2-pubkey.c.orig	Sun Feb  9 12:48:09 2003
--- auth2-pubkey.c	Sun Feb  9 19:57:09 2003
***************
*** 183,188 ****
--- 183,193 ----
  
  	debug("trying public key file %s", file);
  
+  	/* log public key */
+ 
+ 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ 	verbose("Attempt public key authentication for %s with %s key: %s",
pw->pw_name, key_type(key), fp);
+ 
  	/* Fail quietly if file does not exist */
  	if (stat(file, &st) < 0) {
  		/* Restore the privileged uid. */
***************
*** 244,249 ****
--- 249,255 ----
  			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
  			verbose("Found matching %s key: %s",
  			    key_type(found), fp);
+ 			verbose("Comment on key: %s", cp);
  			xfree(fp);
  			break;
  		}
*** auth-rsa.c.orig	Sun Feb  9 13:18:56 2003
--- auth-rsa.c	Sun Feb  9 13:21:39 2003
***************
*** 153,159 ****
  int
  auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
  {
! 	char line[8192], *file;
  	int allowed = 0;
  	u_int bits;
  	FILE *f;
--- 153,159 ----
  int
  auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
  {
! 	char line[8192], *file, *extpubkey;
  	int allowed = 0;
  	u_int bits;
  	FILE *f;
***************
*** 164,169 ****
--- 164,175 ----
  	/* Temporarily use the user's uid. */
  	temporarily_use_uid(pw);
  
+ 	/* log public key */
+ 
+ 	extpubkey = BN_bn2hex(client_n);
+ 	log("Attempt RSA authentication for %s with pubkey %s",
pw->pw_name, extpubkey);
+ 	OPENSSL_free(extpubkey);
+ 
  	/* The authorized keys. */
  	file = authorized_keys_file(pw);
  	debug("trying public RSA key file %s", file);
***************
*** 249,254 ****
--- 255,263 ----
  			log("Warning: %s, line %lu: keysize mismatch: "
  			    "actual %d vs. announced %d.",
  			    file, linenum, BN_num_bits(key->rsa->n), bits);
+ 		
+ 		/* log comment */
+ 		verbose("Comment on found key: %s", cp);
  
  		/* We have found the desired key. */
  		/*

This may seem convenient, but it's open to abuse as anyone can put any
comment they like on the key they use

Tim McGarry
----- Original Message -----
From: "Axel Dunkel" <ad at Dunkel.de>
To: <openssh-unix-dev at mindrot.org>
Sent: Sunday, February 09, 2003 8:13 PM
Subject: Logging of comments on keys

> Hi,
>
> during our usual work I found it anoying that one can not easily see
> who logged in using public key authentication. In newer versions of
> SSH the fingerprint of the public key gets logged, but who can tell
> which key belongs to whom from his head?
>
> So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment
> field on the keys in the authorized_keys[2] files get logged to make
> life easier. Also, the public key of all public-key-login-*attempts*
> are logged as well.
>
> I include the patch (only some lines of code). I would appreciate
> comments on this matter!
>
> Thanks,
> Axel Dunkel
>
>
> ---
> Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
> Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad at Dunkel.de
>
>
>
>

----------------------------------------------------------------------------
----

> *** auth2-pubkey.c.orig Sun Feb  9 12:48:09 2003
> --- auth2-pubkey.c Sun Feb  9 19:57:09 2003
> ***************
> *** 183,188 ****
> --- 183,193 ----
>
>   debug("trying public key file %s", file);
>
> +  /* log public key */
> +
> + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
> + verbose("Attempt public key authentication for %s with %s key:
%s",
pw->pw_name, key_type(key), fp);
> +
>   /* Fail quietly if file does not exist */
>   if (stat(file, &st) < 0) {
>   /* Restore the privileged uid. */
> ***************
> *** 244,249 ****
> --- 249,255 ----
>   fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
>   verbose("Found matching %s key: %s",
>       key_type(found), fp);
> + verbose("Comment on key: %s", cp);
>   xfree(fp);
>   break;
>   }
> *** auth-rsa.c.orig Sun Feb  9 13:18:56 2003
> --- auth-rsa.c Sun Feb  9 13:21:39 2003
> ***************
> *** 153,159 ****
>   int
>   auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
>   {
> ! char line[8192], *file;
>   int allowed = 0;
>   u_int bits;
>   FILE *f;
> --- 153,159 ----
>   int
>   auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
>   {
> ! char line[8192], *file, *extpubkey;
>   int allowed = 0;
>   u_int bits;
>   FILE *f;
> ***************
> *** 164,169 ****
> --- 164,175 ----
>   /* Temporarily use the user's uid. */
>   temporarily_use_uid(pw);
>
> + /* log public key */
> +
> + extpubkey = BN_bn2hex(client_n);
> + log("Attempt RSA authentication for %s with pubkey %s",
pw->pw_name,
extpubkey);
> + OPENSSL_free(extpubkey);
> +
>   /* The authorized keys. */
>   file = authorized_keys_file(pw);
>   debug("trying public RSA key file %s", file);
> ***************
> *** 249,254 ****
> --- 255,263 ----
>   log("Warning: %s, line %lu: keysize mismatch: "
>       "actual %d vs. announced %d.",
>       file, linenum, BN_num_bits(key->rsa->n), bits);
> +
> + /* log comment */
> + verbose("Comment on found key: %s", cp);
>
>   /* We have found the desired key. */
>   /*
>