Re: sshd key comment logging - openssh

This is a discussion on Re: sshd key comment logging - openssh ; > It doesn't support logging the comment field, but it does support > logging the key fingerprint, which uniquely identifies the key (which > the comment doesn't) but it's logged at level DEBUG1 not VERBOSE. > (See, eg auth2-pubkey.c and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: sshd key comment logging

  1. Re: sshd key comment logging

    > It doesn't support logging the comment field, but it does support
    > logging the key fingerprint, which uniquely identifies the key (which
    > the comment doesn't) but it's logged at level DEBUG1 not VERBOSE.
    > (See, eg auth2-pubkey.c and look for "Found matching").


    Yep, I've seen it do this while playing around.

    Even if an admin does enable that level of logging, its pretty hard to
    memorize the key fingerprints and their owners, especially for
    large/dynamic environments. I understand that the key comment is not
    necessarily unique, but in my situation I've made them unique for the
    purposes of management (so it is clear which key belongs to whom when I
    need to revoke access), and so logging the comment would restore meaning
    to log entry. I think it is plausible that there are many installations
    that do tunneling for Subversion and/or database services over a single
    system account to warrant this feature. What do you think? (I wasn't
    sure from your response if you were receptive to my idea. I'd like to
    know for sure if it has a chance of getting checked into the tree before
    I start working on it.)

    Thanks!
    - Joe

    --
    Joseph S. Testa II | Senior Security Consultant
    Positron Security, LLC.
    http://www.positronsecurity.com

    Phone: (585) 643-5900
    AIM / Skype: TheRealJoeTesta


    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: sshd key comment logging

    Circa 2008-06-24 22:13 dixit Joe Testa:

    : > It doesn't support logging the comment field, but it does support
    : > logging the key fingerprint, which uniquely identifies the key (which
    : > the comment doesn't) but it's logged at level DEBUG1 not VERBOSE.
    : > (See, eg auth2-pubkey.c and look for "Found matching").
    :
    : Yep, I've seen it do this while playing around.
    :
    : Even if an admin does enable that level of logging, its pretty hard to
    : memorize the key fingerprints and their owners, especially for
    : large/dynamic environments.

    I think the idea is to look up the fingerprint rather than memorize it.
    If you need to do it on the fly, it's not that hard to make a filter or
    log postprocessor to do the dirty work.

    : [...] (I wasn't sure from your response if you were receptive to my
    : idea. I'd like to know for sure if it has a chance of getting checked
    : into the tree before I start working on it.)

    I'm not an OpenSSH developer, but i'd guess you're better off spending
    your time figuring out how to filter or postprocess your logs such that
    your key fingerprints are looked up. If you feel comfortable relying on
    the key comments, then you could even look them up in the SSH public key
    files as opposed to keeping a separate lookup table (although my offhand
    preference would be the reverse, i.e., to keep the private and public
    keys in a centrally administered database or LDAP directory somewhere
    and build the authorized_keys files from the central location).

    Good luck.

    --
    jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/
    (GnuPG key ID: 6F39C2CC >>>>>> http://www.pobox.com/~jmknoble/keys/ )
    (GnuPG fingerprint: 5024578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
    +----------------------------------------------------------------------+
    |[L]iberty, as we all know, cannot flourish in a country that is perma-|
    | nently on a war footing, or even a near-war footing. --Aldous Huxley|
    +----------------------------------------------------------------------+
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread