On Fri, Apr 25, 2014 at 1:07 PM, TheGezer <openssh-unix-dev@xxxxxxxxxxxxx>wrote: > On 04/25/2014 05:41 PM, Eldon Koyle wrote: > > I think you could end up with a lot of false positives doing this. > yup > > I know I have quite a few keys that my client will try before falling > > back to password authentication. You would need to have enough logic in > > your script to see if the authentication succeeds at some point or have > > a very high limit. > > > > It might be more interesting to make a database of bad public keys or > interestingly openssh *does* log revoked keys > http://en.wikibooks.org/wiki/OpenSSH/Logging#Logging_Revoked_Keys > > fingerprints and block any addresses that attempt one of them (assuming > > you can get openssh to log the failed keys somehow). > > > if only i knew how to log the failed keys :) > If sshd doesn't log what you need, perhaps you can use AuthorizedKeysCommand with the akcenv patch [ https://github.com/ScottDuckworth/openssh-akcenv] to generate the logs for you. The akcenv patch passes the key and the fingerprint to the AuthorizedKeysCommand process in environment variables, so you could make a script that searches for the matching key in ~/.ssh/authorized_keys (or some other source) and write to a log (or update your firewall directly) if it's not found. The akcenv patch was first proposed on this mailing list last month, ending up with what seemed like a general consensus of being a good thing, but seems to have fizzled out in the bug tracker [ https://bugzilla.mindrot.org/show_bug.cgi?id=2081]. If you find it of use for your scenario (which is very different than the use case it was designed for) then please update that bug so that the maintainers know it's useful for multiple things. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev