Hi all, As a pubkey is effectively a multiplexing of multiple sysadmins on a single user it would be very nice to have the pubkey fingerprint written per default in the authentication log line. Most of the time this is the reason pubkeys are forbidden for root, as it's not clear who logged in. There where patches for this at various companies though i've never seen them beyond the log lines which included the pubkey fingerprint. Michael
It's already there, you just need to set LogLevel=verbose. See auth2-pubkey.c: verbose("Found matching %s key: %s", key_type(found), fp); $ sudo /usr/local/sbin/sshd -De -p 2022 -o loglevel=verbose Found matching RSA key: [fingerprint] Accepted publickey for dtucker from 127.0.0.1 port 43578 ssh2
Yes i know, though would it be possible to have the pubkey fingerprint on the same log line eg. like username [ssh-pubkey fingerprint] It's a bit awkward to have to parse multiple lines including keeping context (the pid) to see if a user possible logged in or not :/ (and most scripts just do it wrong).
(In reply to comment #2) > It's a bit awkward to have to parse multiple lines including keeping > context (the pid) to see if a user possible logged in or not :/ (and > most scripts just do it wrong). I have to agree. The fact that it's a multi line log entry makes it more difficult to parse. This is a concern for everyone doing log analysis (with a SIEM for example). If I turn on the verbose option, I break the existing parsers for openSSH logs. All those are usually single line events. This is a multi-line event. Besides using the verbose option makes sshd a lot more chatty, having the key fingerprint on the log in line would be a lot nicer.
As of openssh-6.3 it will look like this: Jul 12 11:04:02 host sshd[1409]: Accepted publickey for djm from 172.16.32.11 port 41228 ssh2: RSA 79:fb:ff:ea:15:56:f7:03:b5:4a:e1:04:e2:79:84:ac There is a bit more information printed for certificates too.
closing resolved bugs as of 8.6p1 release