First of all thanks again for this useful software.
In my multi-user setup it is not easy to tell from logs (with “VERBOSE 0;” set) which key was used to open a port.
I would love to have this info easily available when one of the user keys gets compromised (to make authorization packet source IP filtering easier).
I can not differentiate users by SOURCE directive (all have ANY set there, some use same public IP) or by opened port (everyone uses same port).
All user stanzas in access.conf have REQUIRE_USERNAME set but it is not logged at “VERBOSE 0”.
At higher verbosity Username is logged but logs are spammed with unneeded, other info that makes logs hard to interpret.
Would it be possible to add Username (from matched stanza REQUIRE_USERNAME dirctive) to the logged message (at 0 verbosity level or a configuration switch that enables it when desirable)?
For example an open port message could look like this:
Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/22, expires at xxxxxxxxxx, for Username: fwknop_user
instead of:
Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/22, expires at xxxxxxxxxx
My system is:
“Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux”
with:
“fwknopd server 2.6.10, compiled for firewall bin: /usr/sbin/iptables”
First of all thanks again for this useful software.
In my multi-user setup it is not easy to tell from logs (with “VERBOSE 0;” set) which key was used to open a port. I would love to have this info easily available when one of the user keys gets compromised (to make authorization packet source IP filtering easier).
I can not differentiate users by SOURCE directive (all have ANY set there, some use same public IP) or by opened port (everyone uses same port). All user stanzas in access.conf have REQUIRE_USERNAME set but it is not logged at “VERBOSE 0”. At higher verbosity Username is logged but logs are spammed with unneeded, other info that makes logs hard to interpret.
Would it be possible to add Username (from matched stanza REQUIRE_USERNAME dirctive) to the logged message (at 0 verbosity level or a configuration switch that enables it when desirable)?
For example an open port message could look like this: Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/22, expires at xxxxxxxxxx, for Username: fwknop_user
instead of: Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/22, expires at xxxxxxxxxx
My system is: “Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux” with: “fwknopd server 2.6.10, compiled for firewall bin: /usr/sbin/iptables”