openssh unix dev - Mar 2009 - A way to log what line of authorized_keys that was used

Hi!

I'm pretty sure that this isn't currently supported, so, I'll give
it a
shot and rather be rtfm-flamed instead of not trying :)

Is there any way of logging what line of authorized_keys (and what file)  
that was used when a user logs in? It would be very nice to have to  
improve auditing logins of accounts with multiple publickeys.

And, if there isn't - Would it be of interest to implement it in the  
future?



Thanks!

-- 
William Viker
Opera Software ASA

On 03/24/2009 09:59 AM, William Viker wrote:
> I'm pretty sure that this isn't currently supported, so, I'll
give it a
> shot and rather be rtfm-flamed instead of not trying :)
> 
> Is there any way of logging what line of authorized_keys (and what file)  
> that was used when a user logs in? It would be very nice to have to  
> improve auditing logins of accounts with multiple publickeys.

If you bump up LogLevel to VERBOSE in sshd_config, sshd will log the
fingerprint of the matching key.  Is that sufficient for your purposes,
or do you want more detail?  If you want more detail, what specifically
are you looking for?

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090324/65809d72/attachment.bin

On Tue, 24 Mar 2009 16:00:56 +0100, Daniel Kahn Gillmor  
<dkg at fifthhorseman.net> wrote:
> If you bump up LogLevel to VERBOSE in sshd_config, sshd will log the
> fingerprint of the matching key.  Is that sufficient for your purposes,
> or do you want more detail?  If you want more detail, what specifically
> are you looking for?
Hmm, yeah. Forgot that I've tried that before.

It says something like

Failed none for root from 213.236.208.22 port 26234 ssh2
Found matching DSA key: d7:6f:22:76:15:1c:11:10:86:9e:09:a5:d5:e7:7c:d7
Found matching DSA key: d7:6f:22:76:15:1c:11:10:86:9e:09:a5:d5:e7:7c:d7
Accepted publickey for root from 213.236.208.22 port 26234 ssh2
pam_unix(sshd:session): session opened for user root by (uid=0)

There are only two problems

  1) It doesn't say what file it found the keys in (but, it's
     probably semi-safe to assume (told user)/.ssh/authorized_keys

  2) With many logins, could there be any chance that logentries
     get mixed? You don't get all information from the login on
     one line, or with a unique id/serial to follow

  3) From the information the VERBOSE-log tells me, I cant see
     what TTY the user got. Would be nifty :)


Just thinking :)



-- 
William Viker
Opera Software ASA

On Tue, 24 Mar 2009, William Viker wrote:
>Hi!
>
>I'm pretty sure that this isn't currently supported, so, I'll
give it a
>shot and rather be rtfm-flamed instead of not trying :)
	William, I don't think you want a line number since that piece of 
information can change in the future. What is supported is logging of the 
fingerprint of the matching key:

	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
	verbose("Found matching %s key: %s", key_type(found), fp);
	xfree(fp);

	see auth2-pub.c. You would have to raise the logging level from the 
default INFO to VERBOSE though.

	J.

-- 
Jan Pechanec