In INFO mode, the number of the key in .ssh/authorized_keys isn't logged (though sshd does log the fact a public key was used for authentication). The same issue occurs when a valid key is used from an invalid host (the system logs that a valid key was presented, but not which one). The man page states that DEBUG logging level is not recommended for privacy reasons; there is a real need to audit connections based on the keys used from which hosts. Could this logging feature be moved from DEBUG to INFO to alieviate audit concerns without the additional verbosity?
Have you tried "LogLevel VERBOSE"?
Yes, I just reverified this - the fingerprint is definitely logged at Loglevel=verbose
Unfortunately LogLevel VERBOSE logs the fingerprint of the private key, not the public key. If we don't have the private key that is being abused, we still don't know which key is being abused. LogLevel DEBUG prints which line the public key is on, but not the fingerprint of the public key itself. If the order of this file is changed, we still wouldn't know which key to remove from the server. The actual solution would be logging the fingerprint of the PUBLIC key. Then if the private key is abused, we can revoke the corresponding public key in the "authorized_keys" file.
It *is* the public key fingerprint that is logged (it has to be, public key authentication would be completely broken security-wise if the server got to see the private key).
The private key fingerprint is *NOT* the private key (it is an MD5 hash). Anyway, that's neither here nor there. I've confirmed it is the public key fingerprint that is being logged; there was some confusion about *which* fingerprint "puttygen" was displaying when a private key is opened (openssl dsa will show the proper private key fingerprint and ssh-keygen -l works correctly on public keys).
Close resolved bugs after release.