Adding SSH keys not added to account activity log

Bug
#1

Created clean installation of Phabricator from github on latest Debian stable as part of bug bounty work (Detailed records kept if required).
Email is not configured.
If I add an SSH key to an account this is not added to the account activity log.

e.g.

changes here:
http://phabricator.local/settings/user/simon/page/ssh/

not recorded here:
http://phabricator.local/settings/user/simon/page/activity/

I’ve filed as Bug but strictly would be an “enhancement”, or a “question”. e.g. What the purpose of the Activity Log is? I assume it is to provide information about if the user account is compromised, or there is suspicion about inappropriate activity. If so then manipulation of a user’s SSH keys would seem to be a likely change of interest, but that may not be the intended purpose.

Also shout if this isn’t the best forum, as I have other observations that individually don’t merit a HackerOne report, but fall out of looking at what the code does with a security hat on, but I’m still mastering the various applications.

Phabricator Version Information

Library Version Date Branchpoint
phabricator 3e38579feea3 Mon, Feb 8
arcanist f501f85eb8bf Wed, Feb 10

Other Version Information

Binary Version Path
php 7.3.19-1~deb10u1 apache2handler
diff 3.7 /usr/bin/diff
git 2.20.1 /usr/bin/git
hg Not Available
pygmentize 2.3.1 /usr/bin/pygmentize
svn Not Available
#2

The “User Activity” log is a sort of catch-all from a very long time ago and not really intended to be a comprehensive log, it just logs actions that seemed reasonable to log but don’t fit in any other log.

Changes to SSH keys for an individual account can be viewed in:

  • Settings > SSH Public Keys > SSH Key Actions > View History

…although you might have to fiddle around a bit (and click on each key) since this doesn’t show a single timeline.

Changes to SSH keys across all accounts can be viewed in:

  • Feed > Transaction Logs > Edit Query > Object Types: SSH Public Key

You can also also filter this by “Authors” to get key changes to your account:

Screen Shot 2021-02-16 at 3.11.12 PM
Screen Shot 2021-02-16 at 3.11.12 PM1515×997 172 KB

All of the involved interfaces here could likely be improved (for example, adding SSH key activity to the user log would be reasonable; adding a quick link to a cohesive log view from the SSH key list would be reasonable, etc), but I don’t see anything here that I’d qualify as a security issue, just “certain security workflows could be easier to find/use”.

Also shout if this isn’t the best forum…

This is the right forum.

1 Like