https://bugzilla.mindrot.org/show_bug.cgi?id=3959
Bug ID: 3959
Summary: Improve message about expired certificate
Product: Portable OpenSSH
Version: 9.6p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: [email protected]
Reporter: [email protected]
When a user's SSH certificate had expired, the user sees a "Server
refused our key" message from PuTTY, and the server's syslog states:
sshd[24334]: error: Certificate invalid: expired
So no client ID, no user ID, no certificate ID.
For an admin this makes it hard to find out what's going on.
In contrast when the key succeeds, then the message is like:
sshd[19339]: Accepted publickey for use from 172.20.8.96 port 54233
ssh2: ED25519-CERT SHA256:A/WbJo0... ID 9518@User... (serial 2) CA
ED25519 SHA256:EE8FNy...
So there's MUCH more information then.
Therefore I suggest to enhance the failure message for expired user
certificates in sshd. Fo example the username, certificate ID,etc.
and expiration date could be logged.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
