This is my first patch to openssh and I hope that I've approached this well. When using the AuthorizedKeysCommand the ssh daemon does not log the source (local disk or AuthorizedKeysCommand) for the accepted key. This patch adds a LOG_INFO level message when a key is matched from the command so that users auditing their systems will know how the key was injected. Regards, Robert Jennings --- auth2-pubkey.c | 3 +++ 1 file changed, 3 insertions(+) Index: b/auth2-pubkey.c =================================================================== --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -975,6 +975,9 @@ user_key_command_allowed2(struct ssh *ss /* Read completed successfully */ found_key = ok; + if (ok) + logit("%s: Key for %s found via AuthorizedKeysCommand: %s", + __func__, user_pw->pw_name, format_key(key)); out: if (f != NULL) fclose(f); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev