30

I have a production system where several different people are allowed to log in to a single account - the account is for the application and not for the person as we don't have personal accounts on production servers.

For auditing purposes I want to be able to tell who logged in at what time, and as we use SSH keys to log in it seems logical to track that (as there is no other identifier to track).

When SSH authenticates a user, it logs the user name to the system's security log, but it does not log which of the authorized public keys was used in the log in. Is it possible to get OpenSSH to also report which public key was used, or maybe just the comment associated with that key?

The operating system being used is CentOS 5.6, but I'd like to also hear if its possible on other operating systems.

Guss
  • 2,520
  • 5
  • 32
  • 55
  • A nice blog post answers your question: http://www.screenage.de/blog/2012/02/10/how-to-log-history-and-logins-from-multiple-ssh-keys-under-one-user-account-with-puppet/ – yaronf Jun 17 '13 at 08:57

3 Answers3

38

If you raise the LogLevel to VERBOSE in your configuration file (/etc/sshd/sshd_config or similar) it will log the fingerprint of the public key used to authenticate the user.

LogLevel VERBOSE

Then you get messages like this:

Jul 19 11:23:13 centos sshd[13431]: Connection from 192.168.1.104 port 63529
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13432]: Postponed publickey for user from 192.168.1.104 port 63529 ssh2
Jul 19 11:23:13 centos sshd[13431]: Found matching RSA key: 54:a2:0a:cf:85:ef:89:96:3c:a8:93:c7:a1:30:c2:8b
Jul 19 11:23:13 centos sshd[13431]: Accepted publickey for user from 192.168.1.104 port 63529 ssh2

You can use:

 ssh-keygen -lf /path/to/public_key_file

to get the fingerprint of a particular public key.

Valerio Bozzolan
  • 279
  • 2
  • 10
user9517
  • 114,104
  • 20
  • 206
  • 289
  • 4
    Thanks! I need to confirm the key fingerprints against the `authorized_keys` file, so I made this little script to printout the fingerprints of authorized keys: `(p="$(mktemp)";cat ~/.ssh/authorized_keys|while IFS="$(printf "\n")" read key; do echo $key > $p; ssh-keygen -lf $p; done; rm -f $p)` – Guss Jul 19 '11 at 13:06
  • I noticed that SSH now logs the key twice for each login - any idea why and/or how to get it to log it once? – Guss Jul 19 '11 at 13:10
  • Why, that's a level of detail I'm not familiar with. Can you stop it, probably not without poking around with the source code. – user9517 Jul 19 '11 at 14:05
  • 2
    [This thread](http://www.derkeiler.com/Newsgroups/comp.security.ssh/2007-01/msg00096.html) looks relevant. It finds the matching key twice: once to determine if the key would be acceptable or not, then a second time to check the signature the client provides. – mpontillo Oct 24 '14 at 00:56
3

If your people are using ssh-agent, you could put this in your .bashrc:

SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log
Willem
  • 2,712
  • 3
  • 27
  • 34
  • Its a good idea, unfortunately one of the reasons I want to log this is that I'm using authorized_keys commands for the users that I want to log, and they don't normally get a bash shell. – Guss Jun 17 '13 at 12:40
0

Try playing around with the LogLevel parameter in sshd_config. For details, refer to man sshd_config

Sven
  • 97,248
  • 13
  • 177
  • 225
  • I think you submitted this answer at the same time of https://serverfault.com/a/291768/225489 but that one is more precise. What to do? – Valerio Bozzolan Sep 07 '21 at 13:07