Bug 2082

Summary: Please add pubkey fingerprint to authentication log message
Product: Portable OpenSSH Reporter: Michael Gebetsroither <michael>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, dtucker, gahorvath, steffen.weber
Priority: P5    
Version: 6.2p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2076    

Description Michael Gebetsroither 2013-03-25 08:46:11 AEDT 
Hi all,

As a pubkey is effectively a multiplexing of multiple sysadmins on a single user it would be very nice to have the pubkey fingerprint written per default in the authentication log line.

Most of the time this is the reason pubkeys are forbidden for root, as it's not clear who logged in.

There where patches for this at various companies though i've never seen them beyond the log lines which included the pubkey fingerprint.

Michael
Comment 1 Darren Tucker 2013-03-25 11:07:56 AEDT 
It's already there, you just need to set LogLevel=verbose.  See auth2-pubkey.c:

                        verbose("Found matching %s key: %s",
                            key_type(found), fp);


$ sudo /usr/local/sbin/sshd -De -p 2022 -o loglevel=verbose
Found matching RSA key: [fingerprint]
Accepted publickey for dtucker from 127.0.0.1 port 43578 ssh2
Comment 2 Michael Gebetsroither 2013-03-25 21:01:25 AEDT 
Yes i know, though would it be possible to have the pubkey fingerprint on the same log line

eg. like username [ssh-pubkey fingerprint]

It's a bit awkward to have to parse multiple lines including keeping context (the pid) to see if a user possible logged in or not :/ (and most scripts just do it wrong).
Comment 3 Gabor K Horvath 2013-04-13 00:04:54 AEST 
(In reply to comment #2)
> It's a bit awkward to have to parse multiple lines including keeping
> context (the pid) to see if a user possible logged in or not :/ (and
> most scripts just do it wrong).

I have to agree.

The fact that it's a multi line log entry makes it more difficult to parse. This is a concern for everyone doing log analysis (with a SIEM for example).
If I turn on the verbose option, I break the existing parsers for openSSH logs. All those are usually single line events. This is a multi-line event.
Besides using the verbose option makes sshd a lot more chatty, having the key fingerprint on the log in line would be a lot nicer.
Comment 4 Damien Miller 2013-07-12 11:06:37 AEST 
As of openssh-6.3 it will look like this:

Jul 12 11:04:02 host sshd[1409]: Accepted publickey for djm from 172.16.32.11 port 41228 ssh2: RSA 79:fb:ff:ea:15:56:f7:03:b5:4a:e1:04:e2:79:84:ac

There is a bit more information printed for certificates too.
Comment 5 Damien Miller 2021-04-23 15:10:47 AEST 
closing resolved bugs as of 8.6p1 release