On Thu, Oct 14, 2021 at 7:30 AM mike tancsa <mike@xxxxxxxxxx> wrote:
> I have a few servers where a lot of different client implementation
> connect and I want to proactively see who will break as certain key
> exchange protocols and ciphers get deprecated (e.g. rsa-sha1). One
> thing that would be helpful, and perhaps this could be changed going
> forward is setting the loglevel to verbose from debug ?
I enthusiastically second this request: it would be tremendously useful
to have sshd log the characteristics of the encryption that is
negotiated with the client without having to raise LogLevel to DEBUG,
because 1) DEBUG logs a lot of unnecessary information, and 2)
sshd_config(5) specifically warns that DEBUG violates user privacy.
One quibble, though: I don’t think this log format:
kex: host key algorithm: %s
…is the best way to do it. Logging just the host key algorithm on a line
by itself makes mass log analysis (e.g. Splunk, Grafana) challenging,
because the necessary information to figure out what host/user
negotiated that algorithm is on a separate line.
What I think would make a lot more sense is to simply log the encryption
characteristics in the "Accepted" summary line. E.g., instead of this
(line folded for readability):
Accepted
gssapi-keyex
for username
from 1.2.3.4
port 12335
ssh2:
username@xxxxxxxxxxx
Log this:
Accepted
method gssapi-keyex
kex gss-group14-sha1-
cipher aes256-gcm@xxxxxxxxxxx
mac implicit
for username
from 1.2.3.4
port 12335
ssh2:
username@xxxxxxxxxxx
This is a trivial amount of information to add to the line, it doesn’t
violate user privacy, and it would already be logged at LogLevel INFO
without administrators specifically needing to move to LogLevel VERBOSE.
If there is a concern that changing the format of the "Accepted" line
will perturb too many people, then perhaps a compromise would be to have
LogLevel VERBOSE log a new line that logs as much useful information
about the incoming connection as it can (anything that doesn’t violate
user privacy), on a single line, specifically to aid mass log analysis.
E.g.:
connection:
method=gssapi-keyex,
kex=gss-group14-sha1-,
cipher=aes256-gcm@xxxxxxxxxxx,
mac=implicit,
from_ip=1.2.3.4,
from_port=12335,
to_ip=5.6.7.8,
to_port=22,
user=username
Or, if administrators just want this information but not the other lines
that setting LogLevel VERBOSE entails, maybe there could be a separate
boolean option to enable logging this line? E.g.:
LogConnectionInfo no (default)
LogConnectionInfo yes
If the administrator sets "LogConnectionInfo yes", then sshd logs the
"connection:" log message at LogLevel INFO (the default LogLevel).
Thoughts?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
