Re: LogLevel INFO shows few details for Certificate invalid: not yet valid / expired

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 4/5/25 15:01, Lars Noodén wrote:
I notice that when using log level INFO it seems sshd(8) provides very little information about failed SSH certificate log in attempts:
Apr  5 14:44:41 server sshd-session[51695]: error: Certificate invalid: not yet valid
Apr  5 14:45:31 server sshd-session[88953]: error: Certificate invalid: expired 

Likewise for invalid principals:
Apr  5 14:46:56 server sshd-session[66692]: error: Certificate invalid: name is not a listed principal
Is that on purpose or is there a recommended practice to note the account, principal, or certificate used in failed attempts?
Having a valid principal + certificate but from an invalid source address provides more information in the log, but it is split into two lines:
Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication tried for lars with valid certificate but not from a permitted source address (10.11.9.65). Apr  5 14:57:47 server sshd-session[78381]: error: Refused by certificate options 

Thanks,
Lars


Apologies for the timing of the first message.
As a follow up, it would save a lot of detective work with the logs if, when specific certificate is part of the problem, to include the certificate's id and serial number in the log message. I'm not sure of what the best punctuation might be or if there is already an established practice for annotating all that. But here is an illustration of how it could be: 

	Apr  5 14:44:41 server sshd-session[51695]: error:
	Certificate invalid: not yet valid, id=abcdefg serial=23456

and

	Apr  5 14:45:31 server sshd-session[88953]: error:
	Certificate invalid: expired, id=abcdefg serial=23456
	date=2025-04-02T12:45:47

and

	Apr  5 14:46:56 server sshd-session[66692]: error:
	Certificate invalid: name is not a listed principal,
	id=abcdefg serial=23456 name=someone
Perhaps for all those the reason variable in sshkey.c would be the place to append the id and serial number.
When authentication is refused by certificate options, having the information all in a single log entry would help: 

	Apr  5 14:57:47 server sshd-session[78381]: cert: Authentication
	tried for lars with valid certificate but not from a permitted
	source address (10.11.9.65).  error: Refused by certificate
	options, id=abcdefg serial=23456
That example is a long line, but the combination would save a lot of effort otherwise spent trying to track down and connect separate lines, especially when the log is being filled quickly by bot probes. 

/Lars
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux