sshd on Fedora logs the public key fingerprint

[rubenk]

for example: Accepted publickey for ruben from x.x.x.x port 57452 ssh2: RSA d4:65:ea:25:96:22:c6:72:53:33:91:5a:78:1e:24:69

[Lekensteyn]

Thank you for this PR.

I am worried that this change would unintentionally allow other entries containing this substring. For example, it seems that the Bye Bye text in the below log message is attacker-supplied:

sshd[905]: Invalid user angie from 195.154.65.98
sshd[905]: input_userauth_request: invalid user angie [preauth]
sshd[905]: Received disconnect from 195.154.65.98: 11: Bye Bye [preauth]

This could be used to by-pass the intended filtering. Either the message matching should be anchored to the beginning (stripping/ignoring sshd[...]: somehow) or it should get anchored to the end (including an optional regex match for the fingerprint)

[rubenk]

Yeah that's a good point. I'm out of time for now but I'll look into this, thanks.