Adding SSH keys not added to account activity log

Created clean installation of Phabricator from github on latest Debian stable as part of bug bounty work (Detailed records kept if required).
Email is not configured.
If I add an SSH key to an account this is not added to the account activity log.

e.g.

changes here:
http://phabricator.local/settings/user/simon/page/ssh/

not recorded here:
http://phabricator.local/settings/user/simon/page/activity/

I’ve filed as Bug but strictly would be an “enhancement”, or a “question”. e.g. What the purpose of the Activity Log is? I assume it is to provide information about if the user account is compromised, or there is suspicion about inappropriate activity. If so then manipulation of a user’s SSH keys would seem to be a likely change of interest, but that may not be the intended purpose.

Also shout if this isn’t the best forum, as I have other observations that individually don’t merit a HackerOne report, but fall out of looking at what the code does with a security hat on, but I’m still mastering the various applications.

Phabricator Version Information

Library Version Date Branchpoint
phabricator 3e38579feea3 Mon, Feb 8
arcanist f501f85eb8bf Wed, Feb 10

Other Version Information

Binary Version Path
php 7.3.19-1~deb10u1 apache2handler
diff 3.7 /usr/bin/diff
git 2.20.1 /usr/bin/git
hg Not Available
pygmentize 2.3.1 /usr/bin/pygmentize
svn Not Available

The “User Activity” log is a sort of catch-all from a very long time ago and not really intended to be a comprehensive log, it just logs actions that seemed reasonable to log but don’t fit in any other log.

Changes to SSH keys for an individual account can be viewed in:

  • Settings > SSH Public Keys > SSH Key Actions > View History

…although you might have to fiddle around a bit (and click on each key) since this doesn’t show a single timeline.

Changes to SSH keys across all accounts can be viewed in:

  • Feed > Transaction Logs > Edit Query > Object Types: SSH Public Key

You can also also filter this by “Authors” to get key changes to your account:

All of the involved interfaces here could likely be improved (for example, adding SSH key activity to the user log would be reasonable; adding a quick link to a cohesive log view from the SSH key list would be reasonable, etc), but I don’t see anything here that I’d qualify as a security issue, just “certain security workflows could be easier to find/use”.

Also shout if this isn’t the best forum…

This is the right forum.

1 Like