Re: public key authentication -- log invalid keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Apr 25, 2014 at 1:07 PM, TheGezer <openssh-unix-dev@xxxxxxxxxxxxx>wrote:

> On 04/25/2014 05:41 PM, Eldon Koyle wrote:
> > I think you could end up with a lot of false positives doing this.
> yup
> > I know I have quite a few keys that my client will try before falling
> > back to password authentication.  You would need to have enough logic in
> > your script to see if the authentication succeeds at some point or have
> > a very high limit.
> >
> > It might be more interesting to make a database of bad public keys or
> interestingly openssh *does* log revoked keys
> http://en.wikibooks.org/wiki/OpenSSH/Logging#Logging_Revoked_Keys
> > fingerprints and block any addresses that attempt one of them (assuming
> > you can get openssh to log the failed keys somehow).
> >
> if only i knew how to log the failed keys :)
>

If sshd doesn't log what you need, perhaps you can use
AuthorizedKeysCommand with the akcenv patch [
https://github.com/ScottDuckworth/openssh-akcenv] to generate the logs for
you.  The akcenv patch passes the key and the fingerprint to the
AuthorizedKeysCommand process in environment variables, so you could make a
script that searches for the matching key in ~/.ssh/authorized_keys (or
some other source) and write to a log (or update your firewall directly) if
it's not found.

The akcenv patch was first proposed on this mailing list last month, ending
up with what seemed like a general consensus of being a good thing, but
seems to have fizzled out in the bug tracker [
https://bugzilla.mindrot.org/show_bug.cgi?id=2081].  If you find it of use
for your scenario (which is very different than the use case it was
designed for) then please update that bug so that the maintainers know it's
useful for multiple things.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux