Log OpenSSH public keys from failed logins
Problem¶
I setup an autossh dialback on a machine in the office and forgot to note down the public key.
While certainly not safe to do so, how hard could it really be to grab the public key from the machine with the fixed IP that's hitting my server every 3 seconds for the last 24 hours and give it a login (to be clear: a login to my reverseit tool which is only ever going to allow me to connect back to the other end if it is in fact the machine I think it is).
Solution¶
This StackOverflow solution looks like what I needed, only when I implemented it the keys I got back still didn't work.
The reason is because: you don't need to do it.
As of OpenSSH 8.9 in Ubuntu Jammy, debug level 2 will produce log messages that start with
debug2: userauth_pubkey: valid user will querying public key rsa-sha2-512 AAAAB3Nz....and just give you the whole public key...almost.
The problem is OpenSSH log messages are truncated by default - if longer then 1024 characters to be precise, which modern public keys are longer than (when RSA - ECC would fit).
This is controlled by a #define in log.c:
#define MSGBUFSIZ 1024
Upping this to 8192 I recompiled and...it still didn't work.
Pasting the log lines I was getting into VS Code, I found that all of them were exactly 500 characters. That sounds like a format string to me, so some more spelunking and there it is - in log.c there's the do_log function with this line:
openlog(progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
I'm guessing this is to work with legacy syslog limited to about 512 byte messages. We're trying to log to journald so let's just increase that to 8192 and try it out.
debug2: userauth_pubkey: valid user will querying public key rsa-sha2-512 AAAAB3NzaC1yc2EAAAADAQABAAABgQCklLxvJWTabmkVDFpOyVUhKTynHtTGfL3ngRH41sdMoiIE7j5WWcA+zvJ2ZqXzH+b5qIAMwb13H4ZkXmu6HLidlaZ0T9VBkKGjUpeHDhJ4fd1p+uw9WTRisVV+Xmw9mjbpiR8+AGXnoNwIeX5tMukglAFwEIQ8GQtM8EV4tS36RWxZjOSoT5sQlAjYsgEzQ7PHXsH3hgM7dyIK1HXrr2XcwFZPCts2EhOyh4e0hyUsvm9Nix2Y7qlqhFA+nH4buuSNpJZ2LjNb9CmWo5bjiYvrRLnU0qJMuPXp0jJeV+LwGA+W/JMbsep9xoqSA6aEQvlRUQx5jRyaJZf9GKqGBNe+v55vEbaTb+PXBU4o7nVFGCygZj2fLrW475o7vZBXJJjdgW/rZ1Eh4G2/Aukz3kfrMiJynRQOc5sFHL1ogZhHEVDqViZVLAHA2aoMCYtrsBJ9BBr/r73bzs9HbsND1wqi5ejYSiODZwX0DGmWZD21OPAj/SDMPUap6Nt/tG7oqs0= [preauth]Oh wow - there's a lot there! in fact there's the [preauth] tag at the end which is completely cut off normally.
Full Patch¶
patch
diff --git a/log.c b/log.c
index bdc4b6515..09474e23a 100644
--- a/log.c
+++ b/log.c
@@ -325,7 +325,7 @@ log_redirect_stderr_to(const char *logfile)
log_stderr_fd = fd;
}
-#define MSGBUFSIZ 1024
+#define MSGBUFSIZ 8192
void
set_log_handler(log_handler_fn *handler, void *ctx)
@@ -417,7 +417,7 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
closelog_r(&sdata);
#else
openlog(progname, LOG_PID, log_facility);
- syslog(pri, "%.500s", fmtbuf);
+ syslog(pri, "%.8192s", fmtbuf);
closelog();
#endif
}
--Use git apply in the working tree of the OpenSSH, which I recommend editing with dgit.
Conclusions¶
OpenSSH does log offered public keys, at DEBUG2 level. But on any standard Ubuntu install, you will not get enough text to see them.
The giveaway for, at least these logs being truncated is whether you can see [preauth] after them. This behavior is kind of silly (and should be configurable) - ideally though we would at least get a ... or <truncated> message when this is happening because with variable length fields like public keys it is not obvious.