Re: Possible to get publickey fingerprint in sshd log messages?
From: Jason Stone (jason-fbsd-security@shalott.net)
Date: 10/12/02
- Next message: Mike Hoskins: "Re: Sniffer nic"
- Previous message: Peter Jeremy: "Re: access() is a security hole?"
- In reply to: Nicholas Esborn: "Possible to get publickey fingerprint in sshd log messages?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Oct 2002 15:12:38 -0700 (PDT) From: Jason Stone <jason-fbsd-security@shalott.net> To: Nicholas Esborn <nick@netdot.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Is there any possibility to identify which public key was accepted in
> sshd's syslog messages? Right now, it spits out something like:
Yes - as of... 3.4? you can get key fingerprints by setting the loglevel
to verbose. I reccommend using a separate logfile for sshd in that case,
as the logs will get very long and noisy (depending on the size of your
user base, of course).
I add this to my syslog.conf:
local7.* /var/log/sshd.log
and this to my sshd_config:
SyslogFacility LOCAL7
LogLevel VERBOSE
I then get output like this in sshd.log:
Oct 11 15:06:36 iphigenia sshd[715]: Found matching DSA key: c2:2a:a3:de:a4:42:19:a7:d0:45:9a:55:e8:0f:bc:d5
Oct 11 15:06:36 iphigenia sshd[715]: Accepted publickey for root from ::1 port 1358 ssh2
Oct 11 15:06:54 iphigenia sshd[715]: Connection closed by remote host.
Oct 11 15:06:54 iphigenia sshd[715]: Closing connection to ::1
Oct 11 15:06:56 iphigenia sshd[722]: Connection from ::1 port 1359
Oct 11 15:06:58 iphigenia sshd[722]: Found matching RSA1 key: a9:3b:46:de:a4:42:19:a7:d0:45:9a:55:e8:0f:ad:9f
Oct 11 15:06:58 iphigenia sshd[722]: Accepted rsa for root from ::1 port 1359
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE9p0zWswXMWWtptckRAtO/AJ0d4MAa6jGznNB1XUTptYNlff5T5QCgux2U
9PeLIVxksDtrYMfuXsJ0hdI=
=bB9D
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Mike Hoskins: "Re: Sniffer nic"
- Previous message: Peter Jeremy: "Re: access() is a security hole?"
- In reply to: Nicholas Esborn: "Possible to get publickey fingerprint in sshd log messages?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
