upstream: when refusing a certificate for user authentication, log

enough information to identify the certificate in addition to the reason why
it was being denied. Makes debugging certificate authz problems a bit easier.

ok dlg@

OpenBSD-Commit-ID: 4c4621b2e70412754b3fe7540af8f4bf02b722b1

diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index eb21479a0270396ba974e41df74a3ad08ea7270b..e28134a1ae2cefa4e6247ceeebde6c33934c79c7 100644 (file)
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.53 2024/05/17 00:30:23 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.54 2025/08/06 04:53:04 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -213,8 +213,16 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
 
        if (sshkey_is_cert(key) &&
            sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) {
-               error("%s", reason);
-               auth_debug_add("%s", reason);
+               if ((fp = sshkey_fingerprint(key->cert->signature_key,
+                   options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+                       fatal_f("sshkey_fingerprint fail");
+               error("Refusing certificate ID \"%s\" serial=%llu signed by "
+                   "%s CA %s: %s", key->cert->key_id, key->cert->serial,
+                   sshkey_type(key->cert->signature_key), fp, reason);
+               auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s",
+                   key->cert->key_id, (unsigned long long)key->cert->serial,
+                   reason);
+               free(fp);
                return 0;
        }
 

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index aa24fda0575382d9bcd967525c08f810d04ad368..221b242f831d6ee181a7ab5dfdce12b14e7c278f 100644 (file)
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.122 2024/12/12 09:09:09 dtucker Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.123 2025/08/06 04:53:04 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -590,8 +590,14 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key,
                if ((final_opts = sshauthopt_merge(principals_opts,
                    cert_opts, &reason)) == NULL) {
  fail_reason:
-                       error("%s", reason);
-                       auth_debug_add("%s", reason);
+                       error("Refusing certificate ID \"%s\" serial=%llu "
+                           "signed by %s CA %s: %s", key->cert->key_id,
+                           key->cert->serial,
+                           sshkey_type(key->cert->signature_key), ca_fp,
+                           reason);
+                       auth_debug_add("Refused Certificate ID \"%s\" "
+                           "serial=%llu: %s", key->cert->key_id,
+                           (unsigned long long)key->cert->serial, reason);
                        goto out;
                }
        }

diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
index 31e7481fbe55321baa78f7501afbdc5bb262210e..531a266ac336a66610f6110e6c55e304b2d6b42d 100644 (file)
--- a/auth2-pubkeyfile.c
+++ b/auth2-pubkeyfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkeyfile.c,v 1.4 2023/03/05 05:34:09 dtucker Exp $ */
+/* $OpenBSD: auth2-pubkeyfile.c,v 1.5 2025/08/06 04:53:04 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -344,15 +344,15 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key,
        /* Parse and check options present in certificate */
        if ((certopts = sshauthopt_from_cert(key)) == NULL) {
                reason = "Invalid certificate options";
-               goto fail_reason;
+               goto cert_fail_reason;
        }
        if (auth_authorise_keyopts(pw, certopts, 0,
            remote_ip, remote_host, loc) != 0) {
                reason = "Refused by certificate options";
-               goto fail_reason;
+               goto cert_fail_reason;
        }
        if ((finalopts = sshauthopt_merge(keyopts, certopts, &reason)) == NULL)
-               goto fail_reason;
+               goto cert_fail_reason;
 
        /*
         * If the user has specified a list of principals as
@@ -362,12 +362,12 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key,
        if (keyopts->cert_principals != NULL &&
            !match_principals_option(keyopts->cert_principals, key->cert)) {
                reason = "Certificate does not contain an authorized principal";
-               goto fail_reason;
+               goto cert_fail_reason;
        }
        if (sshkey_cert_check_authority_now(key, 0, 0, 0,
            keyopts->cert_principals == NULL ? pw->pw_name : NULL,
            &reason) != 0)
-               goto fail_reason;
+               goto cert_fail_reason;
 
        verbose("Accepted certificate ID \"%s\" (serial %llu) "
            "signed by CA %s %s found at %s",
@@ -386,8 +386,17 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key,
        ret = 0;
        goto out;
 
+ cert_fail_reason:
+       error("Refusing certificate ID \"%s\" serial=%llu "
+           "signed by %s CA %s via %s: %s", key->cert->key_id,
+           key->cert->serial, sshkey_type(key->cert->signature_key),
+           fp, loc, reason);
+       auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s",
+           key->cert->key_id, (unsigned long long)key->cert->serial, reason);
+       goto out;
+
  fail_reason:
-       error("%s", reason);
+       error("%s at %s", reason, loc);
        auth_debug_add("%s", reason);
  out:
        free(fp);