I notice that when using log level INFO it seems sshd(8) provides very
little information about failed SSH certificate log in attempts:
Apr 5 14:44:41 server sshd-session[51695]: error: Certificate invalid:
not yet valid
Apr 5 14:45:31 server sshd-session[88953]: error: Certificate invalid:
expired
Likewise for invalid principals:
Apr 5 14:46:56 server sshd-session[66692]: error: Certificate invalid:
name is not a listed principal
Is that on purpose or is there a recommended practice to note the
account, principal, or certificate used in failed attempts?
Having a valid principal + certificate but from an invalid source
address provides more information in the log, but it is split into two
lines:
Apr 5 14:57:47 server sshd-session[78381]: cert: Authentication tried
for lars with valid certificate but not from a permitted source address
(10.11.9.65).
Apr 5 14:57:47 server sshd-session[78381]: error: Refused by
certificate options
Thanks,
Lars
--
# /usr/sbin/sshd -T | grep loglevel
loglevel INFO
# /usr/sbin/sshd -V
OpenSSH_9.9, LibreSSL 4.1.0
# uname -srm
OpenBSD 7.7 arm64
# dmesg | head -n 2
OpenBSD 7.7 (GENERIC.MP) #352: Tue Apr 1 15:07:55 MDT 2025
deraadt@xxxxxxxxxxxxxxxxx:/usr/src/sys/arch/arm64/compile/GENERIC.MP
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
