Advertisement
Oracle is hiring Linux Kernel Engineers
Our team patches and enhances the Linux kernel and promotes the adoption of Linux at Oracle. mark.wilkerson @oracle.com
| |||||||||||||
OpenSSH 6.2 releasedOpenSSH 6.2 releasedPosted Mar 22, 2013 18:55 UTC (Fri) by dkg (subscriber, #55359)In reply to: OpenSSH 6.2 released by gebi Parent article: OpenSSH 6.2 released sshd logs the fingerprint of the public key when "LogLevel VERBOSE" is set in sshd_config: Mar 22 14:51:45 remotehost sshd[14277]: Found matching RSA key: 89:dd:09:d8:1a:25:8e:0e::71:f4:0c:a4:1e:fe:e0:1c Mar 22 14:51:45 remotehost sshd[14277]: Accepted publickey for abc123 from 127.0.0.1 port 35514 ssh2 Mar 22 14:51:45 remotehost sshd[14277]: pam_unix(sshd:session): session opened for user abc123 by (uid=0)why is that useless for log analysis? If there's a specific change that would make this sort of logging more useful, please make a feature request on the project's bugtracker so that we can all share in the improvement :)
(Log in to post comments)
OpenSSH 6.2 released Posted Mar 23, 2013 2:21 UTC (Sat) by laptop006 (subscriber, #60779) [Link]
We had a nice patch for this at $JOB[-1], it's nice where multiple people share a single account (some sysadmins for example on systems where LDAP etc. aren't possible), ours added keyid to the "Accepted publickey" line which meant no need to do correlation.
We stopped using it in ~2009 when it was noticed that we weren't keeping up with SSH security patches.
OpenSSH 6.2 released Posted Mar 23, 2013 14:42 UTC (Sat) by gebi (subscriber, #59940) [Link]
YES, exactly this!
Having to do correlation in logfiles is not nice!
Ideally we'd have a log line saying that ssh not only accepted a public key, but everything (including pam session setup) was successfull and after that produce a log line that the user logged in eg. with this 'public key'.
But for the beginning just adding the ssh key fingerprint in the Accepted public-key line would be fine!
OpenSSH 6.2 released Posted Mar 23, 2013 14:56 UTC (Sat) by dkg (subscriber, #55359) [Link] Note that one of the new features is that you can require more than one authentication/authorization mechanism to grant access. This makes "everything on one line" slightly more complex (but of course, not impossible).I don't see the ticket at the OpenSSH bugtracker yet. If you want this improvement to happen, could you please post the suggestion there? Thanks! Suggesting improvements in the right place is a great way to contribute to free software.
OpenSSH 6.2 released Posted Mar 23, 2013 15:07 UTC (Sat) by gebi (subscriber, #59940) [Link]
Especially the "This makes "everything on one line" slightly more complex (but of course, not impossible)." (for multi factor auth)
Yes, it makes useful log analysis much more complex for every other software, and most parsers just do it wrong.
ONE single line for either success or failure of login would be really nice. Especially pam session setup problems give strange loglines (success login, but a short connection terminated on the client).
yes, bugreport is on the way ;)
OpenSSH 6.2 released Posted Mar 25, 2013 15:24 UTC (Mon) by niner (subscriber, #26151) [Link]
I just can't understand why people argued so much against journald which solves problems like this very neatly.
OpenSSH 6.2 released Posted Mar 25, 2013 17:56 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
exactly how does journald solve this problem?
The problem is that the application is putting information into multiple log entries that the consumer (the log analysis tools) would really rather be in one log entry.
I don't see how any logging system can possibly solve this application problem?
OpenSSH 6.2 released Posted Mar 25, 2013 18:26 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
It can group several messages together.
OpenSSH 6.2 released Posted Mar 25, 2013 18:35 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
how does it know what messages it should group together?
If you are talking about having to do custom configurations to group the messages together, tools exist that can do this with syslog messages as well.
OpenSSH 6.2 released Posted Mar 25, 2013 18:38 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]
Because it can group messages by process. So it makes extraction much easier, compared to the usual syslog files that can have interleaved messages.
OpenSSH 6.2 released Posted Mar 25, 2013 18:42 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
grouping by process does not solve the problem the OP was having with the multiple messages.
It's pretty trivial to group or split syslog messages by the program name.
If you're going to say that Journald is better than syslog, you really should compare it against a modern syslog implementation (syslog-ng, rsyslog, nxlog, logstash, etc), not the historic syslog daemon. Every distro I know of except openwrt has converted over to a modern syslog daemin, and even openwrt has syslog-ng as an option.
|
|||||||||||||