[ssh_x509] Logging in case of X.509 authentication

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Mar 3 23:30:06 EET 2014

Hi Reza,

ssh_x509 at roumenpetrov.info wrote:
> Dear Roumen
> The logging of information during user authentication has been 
> standardised with the release of OpenSSH 6.3 [1].

> That's a great feature and ensures that the following helpful 
> information is logged during user authentication:
> _Auth logging format:_
> <KeyType><Cert_ID><Cert_Serial><Cert_CA><Fingerprint>
Above is only for specific openssh certificates.
For plain keys and X.509 certificates format is same.
> [SNIP]
> Unfortunately, this feature only works with the internal key 
> structures defined by OpenSSH and  does not apply for X.509 certificates.
> Therefore, I would like to kindly ask you if you are also planning to 
> release a similar feature in combination with your patch.
The logging is same, i.e. pkixssh use "standardise logging of 
information during user authentication" with format
<KeyType><Fingerprint>[,<Extra>] .

So what information would you like to see in authentication message?

Note that distinguished name (certificate subject) could be hundred 
characters long. For instance this is subject of one of certificates 
used for in regression tests (length=757) : C=XX,ST=World,O=OpenSSH Test 
cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4,OU=OpenSSH 
cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-2,OU=OpenSSH 
cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-1,OU=OpenSSH 
cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-3,CN=OpenSSH 
ECDSA(nistp384) test certificate(rsa_sha1),emailAddress=email at not.set

For historical reasons length of log message is limited. Quote from 
RFC3164(The BSD syslog Protocol), p4.1 : "The total length of the packet 
MUST be 1024 bytes or less."

> I thank you in advance for your feedback and remain with best wishes.
> Reza
> [1] http://openssh.org/txt/release-6.3


More information about the ssh_x509 mailing list