[ssh_x509] Missing Something Fundamental

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 4 23:23:41 EEST 2017


ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
>
> Is there a way to get get the message of "ssh_x509store_verify_cert: return
> 1(trusted)" without setting LogLevel DEBUG3 in sshd_config?
May be ...
There is verbose or informative message generated from function auth_log.
When message starts with "Accepted " above mentioned method returns 
definitely "1(trusted)".
Quote of function code for protocol
----
...
     if (authctxt->postponed)
         authmsg = "Postponed";
     else if (partial)
         authmsg = "Partial";
     else
         authmsg = authenticated ? "Accepted" : "Failed";

     authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
         authmsg,
         method,
         submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
         authctxt->valid ? "" : "invalid user ",
         authctxt->user,
         ssh_remote_ipaddr(ssh),
         ssh_remote_port(ssh),
         compat20 ? "ssh2" : "ssh1",
         authctxt->info != NULL ? ": " : "",
         authctxt->info != NULL ? authctxt->info : "");
...
----

> Would like to get this output for auditing reasons.

Perhaps messages in verbose mode are enough for your auditing purposes.

For instance if method ..._verify_cert() returns -1 then server logs 
message "X.509 certificate validation reject key" followed by message 
from auth_log() -
  "Failed publickey for ....."



> Thanks for the reply!
>
> Jose
[SNIP]

Roumen

-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the ssh_x509 mailing list