sshd: logging client's public key
Solution 1:
If you need the public key for whitelisting, you cannot pick it from failed attempt. It is not about sshd or its configuration at all, but the protocol itself, as public key authentication goes this way:
- Client sends an ID for the key pair.
- Server compares the ID to the
authorized_keys
file. - Server generates a random number and uses the matching public key to encrypt it.
- Server sends it to the client.
- Client decrypts it, combines it with shared session key and sends back MD5 of this.
- Server calculates the same checksum on its own and compares them together.
In failed attempts this stops on step 2 preventing everything further happen. Nevertheless, the whole public key is never sent to the server, just the ID.
One does not simply log something he doesn't even know.