I was hoping to get some help with an approach that could be used...
I am building out a solution that will use SSH-CA (that is, SSH where authentication is done via certificates).
Flow is simple:
1) User generates key pair
2) Authenticates with HSM and gets public key signed
3) SSH server validates signature and cert and allows access
(there are extra bits, but this is basically it).
Here's my problem, I can monitor the cert requests and the SSH interactions, but how do I monitor the actions of a user?
As this is for devOps staff, they need root, so mostly folks will all be logged in to the SSH session as root.
I still need to tie commands issued to actual staff names or IDs.
Any smart ideas?
I thought of using:
Exploiting
LD_PRELOAD
to provide a rudimentary bread-crumb trail.Usage of multiple certificate authorities, one per user.
Usage of UNIX groups, employing groups of groups.
But they're all icky solutions.