• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 595
  • Last Modified:

passwordless ssh monitoring

Hi All,

I enabled passwordless ssh on some of the generic user accounts on some redhat linux 5 servers so anyone have his ssh key listed on that generic account's authorized_key will be allowed to ssh to the box without entering the password for that generic account.

I would like to know anything i can do to monitor who is actually using the generic account to login? i tried to add a environment variable to the user's ssh key that mark the username but i am not quite sure how i can use this variable to log the access.

2 Solutions
Jan SpringerCommented:
Have you tried modifying sshd_config to log in Verbose mode and optionally, logging to a separate file?
I assume that you added something like


to the public key in ~/.ssh/authorized_keys on the target machine corresponding to the private key of originating_user on the source machine?

OK, this is indeed the only way to get the ID of the originating user on the target system I'm aware of.

Since the variable is exported to the user's environmnet you can only evaluate it from there.

Best add a logging command to a system-wide shell initialization file, like /etc/profile.

To log to a flat file e.g.:

[ ! -z $OUSER ] && echo "$(date) Remote user $OUSER logged in as local user $USER from $SSH_CLIENT" >> /var/log/ssh_access.log

Please be aware that, if your users can log in as root, this logfile is subject to manipulation by those users.

Logging to a remote syslog server is safer. (Well, /etc/profile is not really protected from being changed by root, but anyway  ....)

Set up a remote syslog connection for e.g. auth.info, then add something like this to /etc/profile:

[ ! -z $OUSER ] && logger -t ssh_access -p auth.info "Remote user $OUSER logged in as local user $USER from $SSH_CLIENT"
Your /var/log/secure and /var/log/messages will include the IP from which the user is connecting

last username

You gave people keys to your house and then you are asking us to help you identify which individuals are using the keys you provided.
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

nokypleaseAuthor Commented:

i added the logging command to the /etc/profile and it only can log user access for those user using bash shell? i have users using csh and nothing is being logged. Also i seems need to give write permission to the generic user account on the logging file otherwise i got permission denied when login.

Yes, the generic users need write permission, because the log entry is created from the login shells of those users.

One more reason to consider using  syslog (even remote syslog to inhibit local root access)..

For csh/tcsh users you will have to add the logging command to /etc/csh.login or /etc/csh.cshrc.

Besides that, the syntax must be slightly different.


if $?OUSER then
   echo "`date` Remote user $OUSER logged in as local user $USER from $SSH_CLIENT" >> /var/log/ssh_access.log


if $?OUSER then
   logger -t ssh_access -p auth.info "Remote user $OUSER logged in as local user $USER from $SSH_CLIENT"
nokypleaseAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now