[ssh_x509] Logging in case of X.509 authentication

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Mar 6 10:34:33 EET 2014


Hi Roumen

Thank you very much for your answer.
I've rechecked the code and you were right.
The logging for X.509 is the same, so I currently don't need further 
information to be logged.

Best wishes
Reza



On 03/03/2014 10:30 PM, ssh_x509 at roumenpetrov.info wrote:
> Hi Reza,
>
> ssh_x509 at roumenpetrov.info wrote:
>> Dear Roumen
>>
>> The logging of information during user authentication has been 
>> standardised with the release of OpenSSH 6.3 [1].
> Ok.
>
>> That's a great feature and ensures that the following helpful 
>> information is logged during user authentication:
>>
>> _Auth logging format:_
>>
>> <KeyType><Cert_ID><Cert_Serial><Cert_CA><Fingerprint>
> Above is only for specific openssh certificates.
> For plain keys and X.509 certificates format is same.
>> [SNIP]
>>
>> Unfortunately, this feature only works with the internal key 
>> structures defined by OpenSSH and  does not apply for X.509 
>> certificates.
>> Therefore, I would like to kindly ask you if you are also planning to 
>> release a similar feature in combination with your patch.
> The logging is same, i.e. pkixssh use "standardise logging of 
> information during user authentication" with format
> <KeyType><Fingerprint>[,<Extra>] .
>
> So what information would you like to see in authentication message?
>
> Note that distinguished name (certificate subject) could be hundred 
> characters long. For instance this is subject of one of certificates 
> used for in regression tests (length=757) : C=XX,ST=World,O=OpenSSH 
> Test Team 
> cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 
> greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4,OU=OpenSSH 
> Testers 
> cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 
> greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-2,OU=OpenSSH 
> Testers 
> cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 
> greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-1,OU=OpenSSH 
> Testers 
> cyrillic-\\D0\\90\\D0\\91\\D0\\92\\D0\\93\\D0\\B0\\D0\\B1\\D0\\B2\\D0\\B3 
> greek-\\CE\\91\\CE\\92\\CE\\93\\CE\\94\\CE\\B1\\CE\\B2\\CE\\B3\\CE\\B4-3,CN=OpenSSH 
> ECDSA(nistp384) test certificate(rsa_sha1),emailAddress=email at not.set
>
>
> For historical reasons length of log message is limited. Quote from 
> RFC3164(The BSD syslog Protocol), p4.1 : "The total length of the 
> packet MUST be 1024 bytes or less."
>
>> I thank you in advance for your feedback and remain with best wishes.
>> Reza
>>
>>
>> [1] http://openssh.org/txt/release-6.3
>
> Regards,
> Roumen
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info

)




More information about the ssh_x509 mailing list