(Re-phrased for clarity.)
Please also log the user accounts which attempt to use revoked keys.
It would much more easily identify the problem account in question by
listing it on the same line as the offending revoked key in the log,
instead of in a separate log entry as it the case now.
The log entry could be changed to look something
like this:
Oct 21 18:14:14 server sshd[73078]: error: User foo authentication key
RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:14:28 server sshd[73078]: Connection closed by
authenticating user foo 198.51.100.95 port 55644 [preauth]
Currently only the key is logged logged and not the user:
Oct 21 18:07:00 server sshd[79743]: error: Authentication key RSA
SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:07:06 server sshd[79743]: Connection closed by
authenticating user foo 198.51.100.95 port 55634 [preauth]
So I would propose consideration of something approximately like the
changes below.
/Lars
Index: usr.bin/ssh//auth.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.133
diff -u -p -u -r1.133 auth.c
--- usr.bin/ssh//auth.c 12 Sep 2018 01:19:12 -0000 1.133
+++ usr.bin/ssh//auth.c 21 Oct 2018 15:27:04 -0000
@@ -507,7 +507,7 @@ getpwnamallow(const char *user)
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
-auth_key_is_revoked(struct sshkey *key)
+auth_key_is_revoked(struct passwd *pw, struct sshkey *key)
{
char *fp = NULL;
int r;
@@ -526,8 +526,9 @@ auth_key_is_revoked(struct sshkey *key)
case 0:
break; /* not revoked */
case SSH_ERR_KEY_REVOKED:
- error("Authentication key %s %s revoked by file %s",
- sshkey_type(key), fp, options.revoked_keys_file);
+ error("User %s authentication key %s %s revoked by file %s",
+ pw->pw_name, sshkey_type(key), fp,
+ options.revoked_keys_file);
goto out;
default:
error("Error checking authentication key %s %s in "
Index: usr.bin/ssh//auth.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.h,v
retrieving revision 1.96
diff -u -p -u -r1.96 auth.h
--- usr.bin/ssh//auth.h 10 Apr 2018 00:10:49 -0000 1.96
+++ usr.bin/ssh//auth.h 21 Oct 2018 15:27:04 -0000
@@ -175,7 +175,7 @@ char *authorized_principals_file(struct
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-int auth_key_is_revoked(struct sshkey *);
+int auth_key_is_revoked(struct passwd *, struct sshkey *);
const char *auth_get_canonical_hostname(struct ssh *, int);
Index: usr.bin/ssh//auth2-hostbased.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-hostbased.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 auth2-hostbased.c
--- usr.bin/ssh//auth2-hostbased.c 20 Sep 2018 03:28:06 -0000 1.38
+++ usr.bin/ssh//auth2-hostbased.c 21 Oct 2018 15:27:04 -0000
@@ -175,7 +175,7 @@ hostbased_key_allowed(struct passwd *pw,
int len;
char *fp;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
Index: usr.bin/ssh//auth2-pubkey.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.86
diff -u -p -u -r1.86 auth2-pubkey.c
--- usr.bin/ssh//auth2-pubkey.c 20 Sep 2018 03:28:06 -0000 1.86
+++ usr.bin/ssh//auth2-pubkey.c 21 Oct 2018 15:27:04 -0000
@@ -1001,10 +1001,10 @@ user_key_allowed(struct ssh *ssh, struct
if (authoptsp != NULL)
*authoptsp = NULL;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
if (sshkey_is_cert(key) &&
- auth_key_is_revoked(key->cert->signature_key))
+ auth_key_is_revoked(pw, key->cert->signature_key))
return 0;
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
