This is my first patch to openssh and I hope that I've approached
this well.
When using the AuthorizedKeysCommand the ssh daemon does not log the
source (local disk or AuthorizedKeysCommand) for the accepted key.
This patch adds a LOG_INFO level message when a key is matched from
the command so that users auditing their systems will know how the
key was injected.
Regards,
Robert Jennings
---
auth2-pubkey.c | 3 +++
1 file changed, 3 insertions(+)
Index: b/auth2-pubkey.c
===================================================================
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -975,6 +975,9 @@ user_key_command_allowed2(struct ssh *ss
/* Read completed successfully */
found_key = ok;
+ if (ok)
+ logit("%s: Key for %s found via AuthorizedKeysCommand: %s",
+ __func__, user_pw->pw_name, format_key(key));
out:
if (f != NULL)
fclose(f);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
