Lars Noodén
2025-Apr-05 12:01 UTC
LogLevel INFO shows few details for Certificate invalid: not yet valid / expired
I notice that when using log level INFO it seems sshd(8) provides very little information about failed SSH certificate log in attempts: Apr 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: not yet valid Apr 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: expired Likewise for invalid principals: Apr 5 14:46:56 server sshd-session[66692]: error: Certificate invalid: name is not a listed principal Is that on purpose or is there a recommended practice to note the account, principal, or certificate used in failed attempts? Having a valid principal + certificate but from an invalid source address provides more information in the log, but it is split into two lines: Apr 5 14:57:47 server sshd-session[78381]: cert: Authentication tried for lars with valid certificate but not from a permitted source address (10.11.9.65). Apr 5 14:57:47 server sshd-session[78381]: error: Refused by certificate options Thanks, Lars -- # /usr/sbin/sshd -T | grep loglevel loglevel INFO # /usr/sbin/sshd -V OpenSSH_9.9, LibreSSL 4.1.0 # uname -srm OpenBSD 7.7 arm64 # dmesg | head -n 2 OpenBSD 7.7 (GENERIC.MP) #352: Tue Apr 1 15:07:55 MDT 2025 deraadt at arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Lars Noodén
2025-May-21 14:06 UTC
LogLevel INFO shows few details for Certificate invalid: not yet valid / expired
On 4/5/25 15:01, Lars Nood?n wrote:> I notice that when using log level INFO it seems sshd(8) provides very > little information about failed SSH certificate log in attempts: > > Apr? 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: > not yet valid > > Apr? 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: > expired > > Likewise for invalid principals: > > Apr? 5 14:46:56 server sshd-session[66692]: error: Certificate invalid: > name is not a listed principal > > Is that on purpose or is there a recommended practice to note the > account, principal, or certificate used in failed attempts? > > Having a valid principal + certificate but from an invalid source > address provides more information in the log, but it is split into two > lines: > > Apr? 5 14:57:47 server sshd-session[78381]: cert: Authentication tried > for lars with valid certificate but not from a permitted source address > (10.11.9.65). > Apr? 5 14:57:47 server sshd-session[78381]: error: Refused by > certificate options > > Thanks, > LarsApologies for the timing of the first message. As a follow up, it would save a lot of detective work with the logs if, when specific certificate is part of the problem, to include the certificate's id and serial number in the log message. I'm not sure of what the best punctuation might be or if there is already an established practice for annotating all that. But here is an illustration of how it could be: Apr 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: not yet valid, id=abcdefg serial=23456 and Apr 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: expired, id=abcdefg serial=23456 date=2025-04-02T12:45:47 and Apr 5 14:46:56 server sshd-session[66692]: error: Certificate invalid: name is not a listed principal, id=abcdefg serial=23456 name=someone Perhaps for all those the reason variable in sshkey.c would be the place to append the id and serial number. When authentication is refused by certificate options, having the information all in a single log entry would help: Apr 5 14:57:47 server sshd-session[78381]: cert: Authentication tried for lars with valid certificate but not from a permitted source address (10.11.9.65). error: Refused by certificate options, id=abcdefg serial=23456 That example is a long line, but the combination would save a lot of effort otherwise spent trying to track down and connect separate lines, especially when the log is being filled quickly by bot probes. /Lars