openssh unix dev - Apr 2025 - LogLevel INFO shows few details for Certificate invalid: not yet valid / expired

I notice that when using log level INFO it seems sshd(8) provides very
little information about failed SSH certificate log in attempts:

Apr  5 14:44:41 server sshd-session[51695]: error: Certificate invalid:
not yet valid

Apr  5 14:45:31 server sshd-session[88953]: error: Certificate invalid:
expired

Likewise for invalid principals:

Apr  5 14:46:56 server sshd-session[66692]: error: Certificate invalid:
name is not a listed principal

Is that on purpose or is there a recommended practice to note the
account, principal, or certificate used in failed attempts?

Having a valid principal + certificate but from an invalid source
address provides more information in the log, but it is split into two
lines:

Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication tried
for lars with valid certificate but not from a permitted source address
(10.11.9.65).
Apr  5 14:57:47 server sshd-session[78381]: error: Refused by
certificate options

Thanks,
Lars

--

# /usr/sbin/sshd -T | grep loglevel
  loglevel INFO

# /usr/sbin/sshd -V
OpenSSH_9.9, LibreSSL 4.1.0

# uname -srm
OpenBSD 7.7 arm64

# dmesg | head -n 2
OpenBSD 7.7 (GENERIC.MP) #352: Tue Apr  1 15:07:55 MDT 2025
     deraadt at arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP

On 4/5/25 15:01, Lars Nood?n wrote:
> I notice that when using log level INFO it seems sshd(8) provides very 
> little information about failed SSH certificate log in attempts:
> 
> Apr? 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: 
> not yet valid
> 
> Apr? 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: 
> expired
> 
> Likewise for invalid principals:
> 
> Apr? 5 14:46:56 server sshd-session[66692]: error: Certificate invalid: 
> name is not a listed principal
> 
> Is that on purpose or is there a recommended practice to note the 
> account, principal, or certificate used in failed attempts?
> 
> Having a valid principal + certificate but from an invalid source 
> address provides more information in the log, but it is split into two 
> lines:
> 
> Apr? 5 14:57:47 server sshd-session[78381]: cert: Authentication tried 
> for lars with valid certificate but not from a permitted source address 
> (10.11.9.65).
> Apr? 5 14:57:47 server sshd-session[78381]: error: Refused by 
> certificate options
> 
> Thanks,
> Lars
Apologies for the timing of the first message.

As a follow up, it would save a lot of detective work with the logs if, 
when specific certificate is part of the problem, to include the 
certificate's id and serial number in the log message.  I'm not sure of 
what the best punctuation might be or if there is already an established 
practice for annotating all that.  But here is an illustration of how it 
could be:

	Apr  5 14:44:41 server sshd-session[51695]: error:
	Certificate invalid: not yet valid, id=abcdefg serial=23456

and

	Apr  5 14:45:31 server sshd-session[88953]: error:
	Certificate invalid: expired, id=abcdefg serial=23456
	date=2025-04-02T12:45:47

and

	Apr  5 14:46:56 server sshd-session[66692]: error:
	Certificate invalid: name is not a listed principal,
	id=abcdefg serial=23456 name=someone

Perhaps for all those the reason variable in sshkey.c would be the place 
to append the id and serial number.

When authentication is refused by certificate options, having the 
information all in a single log entry would help:

	Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication
	tried for lars with valid certificate but not from a permitted
	source address (10.11.9.65).  error: Refused by certificate
	options, id=abcdefg serial=23456

That example is a long line, but the combination would save a lot of 
effort otherwise spent trying to track down and connect separate lines, 
especially when the log is being filled quickly by bot probes.

/Lars