OK so i've been doing some digging and a bit more testing. seems i do get an error but only in verbose loglevel. but I have to increase LogLevel to verbose to only get " [sshd] Failed publickey for root " undeterred i went digging in the source it looks like auth2-pubkey.c has function "user_key_allowed" which in turn calls "user_key_allowed2" which calls "check_authkeys_file" so there is a line for key not found, but i'm not getting this with LogLevel = VERBOSE http://fossies.org/dox/openssh-6.6p1/auth2-pubkey_8c_source.html#l00651 418 if (!found_key) 419 debug2("key not found"); so with LogLevel DEBUG2 and this gives me much much more info including "key not found" OK so far so good, the logging I requested is there but at debug2 level, or more generically at verbose level. with more and more bruteforce toys being available online I do wonder if this kind of thing really ought to be at a higher volume to alert that unknown keys are being used on systems. with lost/stolen keys I would imagine most people would delete and recreate rather than making use of RevokedKeys, and so not know if folks are silently trying to connect to their hosts. I do appreciate though that many machines will try their public keys first and thus possibly create unnecessary noise in logs. is it worth making this a config file option that could be enabled / disabled on sshd start ? or am i alone in this line of thinking and should just patch my source appropriately? please let me know your thoughts, thanks _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev