Index: b/auth2-pubkey.c

===================================================================

--- b.orig/auth2-pubkey.c

+++ b/auth2-pubkey.c

@@ -389,6 +389,10 @@ check_principals_line(struct ssh *ssh, c

 			continue;

 		debug3("%s: matched principal \"%.100s\"",

 		    loc, cert->principals[i]);

+		verbose("Matched principal \"%.100s\" from %s against \"%.100s\" "

+		    "from cert",

+		    cp, loc, cert->principals[i]);

+

 		found = 1;

 		slog_set_principal(cp);

 	}

@@ -432,6 +436,8 @@ process_principals(struct ssh *ssh, FILE

 			found_principal = 1;

 	}

 	free(line);

+	if (!found_principal)

+		verbose("Did not match any principals from auth_principals_* files");

 	return found_principal;

 }

@@ -710,7 +716,7 @@ check_authkey_line(struct ssh *ssh, stru

 	    &reason) != 0)

 		goto fail_reason;

-	verbose("Accepted certificate ID \"%s\" (serial %llu) "

+	verbose("Accepted cert ID \"%s\" (serial %llu) "

 	    "signed by CA %s %s found at %s",

 	    key->cert->key_id,

 	    (unsigned long long)key->cert->serial,

@@ -780,7 +786,7 @@ static int

 user_cert_trusted_ca(struct ssh *ssh, struct passwd *pw, struct sshkey *key,

     struct sshauthopt **authoptsp)

 {

-	char *ca_fp, *principals_file = NULL;

+	char *ca_fp, *key_fp, *principals_file = NULL;

 	const char *reason;

 	struct sshauthopt *principals_opts = NULL, *cert_opts = NULL;

 	struct sshauthopt *final_opts = NULL;

@@ -796,11 +802,16 @@ user_cert_trusted_ca(struct ssh *ssh, st

 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)

 		return 0;

+	key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);

+

 	if ((r = sshkey_in_file(key->cert->signature_key,

 	    options.trusted_user_ca_keys, 1, 0)) != 0) {

 		debug2_fr(r, "CA %s %s is not listed in %s",

 		    sshkey_type(key->cert->signature_key), ca_fp,

 		    options.trusted_user_ca_keys);

+		verbose("CA %s %s is not listed in %s",

+		    sshkey_type(key->cert->signature_key), ca_fp,

+		    options.trusted_user_ca_keys);

 		goto out;

 	}

 	/*

@@ -851,6 +862,11 @@ user_cert_trusted_ca(struct ssh *ssh, st

 		if ((final_opts = sshauthopt_merge(principals_opts,

 		    cert_opts, &reason)) == NULL) {

  fail_reason:

+			verbose("Rejected cert ID \"%s\" with signature "

+			    "%s signed by %s CA %s via %s",

+			    key->cert->key_id, key_fp,

+			    sshkey_type(key->cert->signature_key), ca_fp,

+			    options.trusted_user_ca_keys);

 			error("%s", reason);

 			auth_debug_add("%s", reason);

 			goto out;

@@ -858,9 +874,10 @@ user_cert_trusted_ca(struct ssh *ssh, st

 	}

 	/* Success */

-	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "

-	    "%s CA %s via %s", key->cert->key_id,

-	    (unsigned long long)key->cert->serial,

+	verbose("Accepted cert ID \"%s\" (serial %llu) with signature %s "

+	    "signed by %s CA %s via %s",

+	    key->cert->key_id,

+	    (unsigned long long)key->cert->serial, key_fp,

 	    sshkey_type(key->cert->signature_key), ca_fp,

 	    options.trusted_user_ca_keys);

 	if (authoptsp != NULL) {

@@ -875,6 +892,7 @@ user_cert_trusted_ca(struct ssh *ssh, st

 	sshauthopt_free(final_opts);

 	free(principals_file);

 	free(ca_fp);

+	free(key_fp);

 	return ret;

 }

Index: b/regress/cert-logging.sh

===================================================================

--- /dev/null

+++ b/regress/cert-logging.sh

@@ -0,0 +1,84 @@

+tid="cert logging"

+

+CERT_ID="cert_id"

+PRINCIPAL=$USER

+SERIAL=0

+

+log_grep() {

+    if [ "$(grep -c -G "$1" "$TEST_SSHD_LOGFILE")" == "0" ]; then

+        return 1;

+    else

+        return 0;

+    fi

+}

+

+cat << EOF >> $OBJ/sshd_config

+TrustedUserCAKeys $OBJ/ssh-rsa.pub

+Protocol 2

+PubkeyAuthentication yes

+AuthenticationMethods publickey

+AuthorizedPrincipalsFile $OBJ/auth_principals

+EOF

+

+if [ ! -f $OBJ/trusted_rsa ]; then

+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/trusted_rsa

+fi

+if [ ! -f $OBJ/untrusted_rsa ]; then

+    ${SSHKEYGEN} -q -t rsa -C '' -N '' -f $OBJ/untrusted_rsa

+fi

+

+${SSHKEYGEN} -q -s $OBJ/ssh-rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/trusted_rsa.pub ||

+    fatal "Could not create trusted SSH cert"

+

+${SSHKEYGEN} -q -s $OBJ/untrusted_rsa -I $CERT_ID -n $PRINCIPAL -z $SERIAL $OBJ/untrusted_rsa.pub ||

+    fatal "Could not create untrusted SSH cert"

+

+CA_FP="$(${SSHKEYGEN} -l -E sha256 -f ssh-rsa | cut -d' ' -f2)"

+KEY_FP="$(${SSHKEYGEN} -l -E sha256 -f trusted_rsa | cut -d' ' -f2)"

+UNTRUSTED_CA_FP="$(${SSHKEYGEN} -l -E sha256 -f untrusted_rsa | cut -d' ' -f2)"

+

+start_sshd

+

+

+test_no_principals() {

+    echo > $OBJ/auth_principals

+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||

+        fatal "SSH failed"

+

+    if ! log_grep 'Did not match any principals from auth_principals_\* files'; then

+        fail "No 'Did not match any principals' message"

+    fi

+

+    if ! log_grep "Rejected cert ID \"$CERT_ID\" with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then

+        fail "No 'Rejected cert ID' message"

+    fi

+}

+

+

+test_with_principals() {

+    echo $USER > $OBJ/auth_principals

+    ${SSH} -F $OBJ/ssh_config -i $OBJ/trusted_rsa-cert.pub somehost true ||

+        fatal "SSH failed"

+

+    if ! log_grep "Matched principal \"$PRINCIPAL\" from $OBJ/auth_principals:1 against \"$PRINCIPAL\" from cert"; then

+        fail "No 'Matched principal' message"

+    fi

+    if ! log_grep "Accepted cert ID \"$CERT_ID\" (serial $SERIAL) with signature $KEY_FP signed by RSA CA $CA_FP via $OBJ/ssh-rsa.pub"; then

+        fail "No 'Accepted cert ID' message"

+    fi

+}

+

+

+test_untrusted_cert() {

+    ${SSH} -F $OBJ/ssh_config -i $OBJ/untrusted_rsa-cert.pub somehost true ||

+        fatal "SSH failed"

+

+    if ! log_grep "CA RSA $UNTRUSTED_CA_FP is not listed in $OBJ/ssh-rsa.pub"; then

+        fail "No 'CA is not listed' message"

+    fi

+}

+

+

+test_no_principals

+test_with_principals

+test_untrusted_cert