When a revoked key is used in an authentication attempt, only the key
information is currently logged:
Oct 21 18:07:00 server sshd[79743]: error: Authentication key RSA
SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:07:06 server sshd[79743]: Connection closed by
authenticating user foo 198.51.100.95 port 55634 [preauth]
That requires a litte bit of AWK or Perl hackery to identify which
account it was used against. It may also be that theoretically the
log file could roll over at just the instant between writing the line
about the key and writing the second line about the closed connection,
making identification difficult.
It would be of help in both cases to identify the account in question
at the same time that the offending revoked key is identified in the
log:
Oct 21 18:14:14 server sshd[73078]: error: User foo authentication key
RSA SHA256:CMHiAcoUM2tSS0ENOFvMLBvjhwhaVsmQVvhuvhPxVy4 revoked by file
/etc/ssh/ssh_revoked_keys
Oct 21 18:14:28 server sshd[73078]: Connection closed by
authenticating user foo 198.51.100.95 port 55644 [preauth]
So I would suggest consideration of something like the changes below.
(Warning for cargo-culted code)
/Lars
Index: usr.bin/ssh//auth.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.133
diff -u -p -u -r1.133 auth.c
--- usr.bin/ssh//auth.c 12 Sep 2018 01:19:12 -0000 1.133
+++ usr.bin/ssh//auth.c 21 Oct 2018 15:27:04 -0000
@@ -507,7 +507,7 @@ getpwnamallow(const char *user)
/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
int
-auth_key_is_revoked(struct sshkey *key)
+auth_key_is_revoked(struct passwd *pw, struct sshkey *key)
{
char *fp = NULL;
int r;
@@ -526,8 +526,9 @@ auth_key_is_revoked(struct sshkey *key)
case 0:
break; /* not revoked */
case SSH_ERR_KEY_REVOKED:
- error("Authentication key %s %s revoked by file %s",
- sshkey_type(key), fp, options.revoked_keys_file);
+ error("User %s authentication key %s %s revoked by file %s",
+ pw->pw_name, sshkey_type(key), fp,
+ options.revoked_keys_file);
goto out;
default:
error("Error checking authentication key %s %s in "
Index: usr.bin/ssh//auth.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth.h,v
retrieving revision 1.96
diff -u -p -u -r1.96 auth.h
--- usr.bin/ssh//auth.h 10 Apr 2018 00:10:49 -0000 1.96
+++ usr.bin/ssh//auth.h 21 Oct 2018 15:27:04 -0000
@@ -175,7 +175,7 @@ char *authorized_principals_file(struct
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-int auth_key_is_revoked(struct sshkey *);
+int auth_key_is_revoked(struct passwd *, struct sshkey *);
const char *auth_get_canonical_hostname(struct ssh *, int);
Index: usr.bin/ssh//auth2-hostbased.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-hostbased.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 auth2-hostbased.c
--- usr.bin/ssh//auth2-hostbased.c 20 Sep 2018 03:28:06 -0000 1.38
+++ usr.bin/ssh//auth2-hostbased.c 21 Oct 2018 15:27:04 -0000
@@ -175,7 +175,7 @@ hostbased_key_allowed(struct passwd *pw,
int len;
char *fp;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
Index: usr.bin/ssh//auth2-pubkey.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.86
diff -u -p -u -r1.86 auth2-pubkey.c
--- usr.bin/ssh//auth2-pubkey.c 20 Sep 2018 03:28:06 -0000 1.86
+++ usr.bin/ssh//auth2-pubkey.c 21 Oct 2018 15:27:04 -0000
@@ -1001,10 +1001,10 @@ user_key_allowed(struct ssh *ssh, struct
if (authoptsp != NULL)
*authoptsp = NULL;
- if (auth_key_is_revoked(key))
+ if (auth_key_is_revoked(pw, key))
return 0;
if (sshkey_is_cert(key) &&
- auth_key_is_revoked(key->cert->signature_key))
+ auth_key_is_revoked(pw, key->cert->signature_key))
return 0;
if ((success = user_cert_trusted_ca(ssh, pw, key, &opts)) != 0)
