Re: Possible to get publickey fingerprint in sshd log messages?

From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 10/12/02

Next message: Mike Hoskins: "Re: Sniffer nic"
Previous message: Peter Jeremy: "Re: access() is a security hole?"
In reply to: Nicholas Esborn: "Possible to get publickey fingerprint in sshd log messages?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 11 Oct 2002 15:12:38 -0700 (PDT)
From: Jason Stone <jason-fbsd-security@shalott.net>
To: Nicholas Esborn <nick@netdot.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Is there any possibility to identify which public key was accepted in
> sshd's syslog messages? Right now, it spits out something like:

Yes - as of... 3.4? you can get key fingerprints by setting the loglevel
to verbose. I reccommend using a separate logfile for sshd in that case,
as the logs will get very long and noisy (depending on the size of your
user base, of course).

I add this to my syslog.conf:

local7.* /var/log/sshd.log

and this to my sshd_config:

SyslogFacility LOCAL7
LogLevel VERBOSE

I then get output like this in sshd.log:

Oct 11 15:06:36 iphigenia sshd[715]: Found matching DSA key: c2:2a:a3:de:a4:42:19:a7:d0:45:9a:55:e8:0f:bc:d5
Oct 11 15:06:36 iphigenia sshd[715]: Accepted publickey for root from ::1 port 1358 ssh2
Oct 11 15:06:54 iphigenia sshd[715]: Connection closed by remote host.
Oct 11 15:06:54 iphigenia sshd[715]: Closing connection to ::1
Oct 11 15:06:56 iphigenia sshd[722]: Connection from ::1 port 1359
Oct 11 15:06:58 iphigenia sshd[722]: Found matching RSA1 key: a9:3b:46:de:a4:42:19:a7:d0:45:9a:55:e8:0f:ad:9f
Oct 11 15:06:58 iphigenia sshd[722]: Accepted rsa for root from ::1 port 1359

-Jason

-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE9p0zWswXMWWtptckRAtO/AJ0d4MAa6jGznNB1XUTptYNlff5T5QCgux2U
9PeLIVxksDtrYMfuXsJ0hdI=
=bB9D
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Mike Hoskins: "Re: Sniffer nic"
Previous message: Peter Jeremy: "Re: access() is a security hole?"
In reply to: Nicholas Esborn: "Possible to get publickey fingerprint in sshd log messages?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Removing debian non-us from sources.list [was: debian non-us]
... the manpage is not very verbose. ... Anyway, if debian-archive-keyring ... is up-to-date you shouldn't worry about it. ...
(Debian-User)
Re: Killing Explorer
... If you are sure its not too strong for him:) I would worry a lot about ... how much he would start talking after a whole bottle of limonade:))) ... as verbose as wolfgang is:)) ...
(alt.lang.asm)