Hi all,
Attached is patch for feature to print the full public key of all
key-based login attempts when debug level is set to 1 or above. It was
written in the course of debugging/forensic analysis.
Looking for comments on merge worthiness.
Enhancement ticket can be seen here:
https://bugzilla.mindrot.org/show_bug.cgi?id=2939
Github pull request here:
https://github.com/openssh/openssh-portable/pull/112
(made before I realized they're not the preferred method of contribution)
Andrew
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950..82cce57 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -122,6 +122,17 @@ userauth_pubkey(struct ssh *ssh)
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
}
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) {
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_format_text(key, b)) != 0)
+ fatal("%s: sshkey_format_text failed: %s", __func__,
+ ssh_err(r));
+ debug("%s: public key of %s: %s", __func__, authctxt->user,
+ sshbuf_ptr(b));
+ sshbuf_free(b);
+ b = NULL;
+ }
if (sshkey_type_plain(key->type) == KEY_RSA &&
(ssh->compat & SSH_BUG_RSASIGMD5) != 0) {
logit("Refusing RSA key because client uses unsafe "
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
