Possible to get sshd (openssh) to log the public key of failed key based login attempts?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
As I understand sshd (openssh in my case) typically does/may log the fingerprint/hash of the public key of incoming connections which are attempting to authenticate via key.
What I'm looking for is the full public key of incoming connections, specifically failed logins. Is that possible?
If so, how?
ssh logs authentication key-authentication
asked Dec 4 at 19:18
Catskul
750714
add a comment |
up vote
1
down vote
favorite
As I understand sshd (openssh in my case) typically does/may log the fingerprint/hash of the public key of incoming connections which are attempting to authenticate via key.
What I'm looking for is the full public key of incoming connections, specifically failed logins. Is that possible?
If so, how?
ssh logs authentication key-authentication
asked Dec 4 at 19:18
Catskul
750714
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
As I understand sshd (openssh in my case) typically does/may log the fingerprint/hash of the public key of incoming connections which are attempting to authenticate via key.
What I'm looking for is the full public key of incoming connections, specifically failed logins. Is that possible?
If so, how?
ssh logs authentication key-authentication
asked Dec 4 at 19:18
Catskul
750714
As I understand sshd (openssh in my case) typically does/may log the fingerprint/hash of the public key of incoming connections which are attempting to authenticate via key.
What I'm looking for is the full public key of incoming connections, specifically failed logins. Is that possible?
If so, how?
ssh logs authentication key-authentication
ssh logs authentication key-authentication
asked Dec 4 at 19:18
Catskul
750714
asked Dec 4 at 19:18
Catskul
750714
edited Dec 4 at 21:56
asked Dec 4 at 19:18
Catskul
750714
asked Dec 4 at 19:18
Catskul
750714
asked Dec 4 at 19:18
Catskul
750714
750714
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39
add a comment |
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Apparently this is not a current feature of openssh.
For my own sake, I wrote the feature, and it can be found here:
https://github.com/catskul/openssh-portable/tree/print-public-key
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950..82cce57 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -122,6 +122,17 @@ userauth_pubkey(struct ssh *ssh)
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
}
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_format_text(key, b)) != 0)
+ fatal("%s: sshkey_format_text failed: %s", __func__,
+ ssh_err(r));
+ debug("%s: public key of %s: %s", __func__, authctxt->user,
+ sshbuf_ptr(b));
+ sshbuf_free(b);
+ b = NULL;
+
if (sshkey_type_plain(key->type) == KEY_RSA &&
(ssh->compat & SSH_BUG_RSASIGMD5) != 0)
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485977%2fpossible-to-get-sshd-openssh-to-log-the-public-key-of-failed-key-based-login-a%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Apparently this is not a current feature of openssh.
For my own sake, I wrote the feature, and it can be found here:
https://github.com/catskul/openssh-portable/tree/print-public-key
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950..82cce57 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -122,6 +122,17 @@ userauth_pubkey(struct ssh *ssh)
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_format_text(key, b)) != 0)
+ fatal("%s: sshkey_format_text failed: %s", __func__,
+ ssh_err(r));
+ debug("%s: public key of %s: %s", __func__, authctxt->user,
+ sshbuf_ptr(b));
+ sshbuf_free(b);
+ b = NULL;
+
if (sshkey_type_plain(key->type) == KEY_RSA &&
(ssh->compat & SSH_BUG_RSASIGMD5) != 0)
up vote
1
down vote
accepted
Apparently this is not a current feature of openssh.
For my own sake, I wrote the feature, and it can be found here:
https://github.com/catskul/openssh-portable/tree/print-public-key
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950..82cce57 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -122,6 +122,17 @@ userauth_pubkey(struct ssh *ssh)
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_format_text(key, b)) != 0)
+ fatal("%s: sshkey_format_text failed: %s", __func__,
+ ssh_err(r));
+ debug("%s: public key of %s: %s", __func__, authctxt->user,
+ sshbuf_ptr(b));
+ sshbuf_free(b);
+ b = NULL;
+
if (sshkey_type_plain(key->type) == KEY_RSA &&
(ssh->compat & SSH_BUG_RSASIGMD5) != 0)
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Apparently this is not a current feature of openssh.
For my own sake, I wrote the feature, and it can be found here:
https://github.com/catskul/openssh-portable/tree/print-public-key
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 2fb5950..82cce57 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -122,6 +122,17 @@ userauth_pubkey(struct ssh *ssh)
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
+ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshkey_format_text(key, b)) != 0)
+ fatal("%s: sshkey_format_text failed: %s", __func__,
+ ssh_err(r));
+ debug("%s: public key of %s: %s", __func__, authctxt->user,
+ sshbuf_ptr(b));
+ sshbuf_free(b);
+ b = NULL;
+
if (sshkey_type_plain(key->type) == KEY_RSA &&
(ssh->compat & SSH_BUG_RSASIGMD5) != 0)
logit("Refusing RSA key because client uses unsafe "
answered Dec 4 at 21:42
Catskul
750714
answered Dec 4 at 21:42
Catskul
750714
answered Dec 4 at 21:42
Catskul
750714
answered Dec 4 at 21:42
Catskul
750714
750714
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485977%2fpossible-to-get-sshd-openssh-to-log-the-public-key-of-failed-key-based-login-a%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You would have the public key if the user/public key was known. If they are not, you would not. That's the case I'm interested in.
– Catskul
Dec 4 at 21:31
This is incorrect. I can definitively say that the ssh server does receive the public key of clients making incoming connections even in the case of unknown keys. I know because I managed to edit the openssh source code to print it out.
– Catskul
Dec 4 at 21:46
In my case the user is authenticating via keys. I'll clarify my question to include that detail.
– Catskul
Dec 4 at 21:54
Let us continue this discussion in chat.
– Peschke
Dec 4 at 22:39