Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

passwordless ssh monitoring

Posted on 2013-06-22
6
Medium Priority
?
589 Views
Last Modified: 2013-06-24
Hi All,

I enabled passwordless ssh on some of the generic user accounts on some redhat linux 5 servers so anyone have his ssh key listed on that generic account's authorized_key will be allowed to ssh to the box without entering the password for that generic account.

I would like to know anything i can do to monitor who is actually using the generic account to login? i tried to add a environment variable to the user's ssh key that mark the username but i am not quite sure how i can use this variable to log the access.

thanks.
0
Comment
Question by:nokyplease
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39268406
Have you tried modifying sshd_config to log in Verbose mode and optionally, logging to a separate file?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 39268573
I assume that you added something like

environment="OUSER=originating_user"

to the public key in ~/.ssh/authorized_keys on the target machine corresponding to the private key of originating_user on the source machine?

OK, this is indeed the only way to get the ID of the originating user on the target system I'm aware of.

Since the variable is exported to the user's environmnet you can only evaluate it from there.

Best add a logging command to a system-wide shell initialization file, like /etc/profile.

To log to a flat file e.g.:

[ ! -z $OUSER ] && echo "$(date) Remote user $OUSER logged in as local user $USER from $SSH_CLIENT" >> /var/log/ssh_access.log

Please be aware that, if your users can log in as root, this logfile is subject to manipulation by those users.

Logging to a remote syslog server is safer. (Well, /etc/profile is not really protected from being changed by root, but anyway  ....)

Set up a remote syslog connection for e.g. auth.info, then add something like this to /etc/profile:

[ ! -z $OUSER ] && logger -t ssh_access -p auth.info "Remote user $OUSER logged in as local user $USER from $SSH_CLIENT"
0
 
LVL 79

Expert Comment

by:arnold
ID: 39268692
Your /var/log/secure and /var/log/messages will include the IP from which the user is connecting

last username

You gave people keys to your house and then you are asking us to help you identify which individuals are using the keys you provided.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:nokyplease
ID: 39269282
Hi,

i added the logging command to the /etc/profile and it only can log user access for those user using bash shell? i have users using csh and nothing is being logged. Also i seems need to give write permission to the generic user account on the logging file otherwise i got permission denied when login.

thanks.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 39269334
Yes, the generic users need write permission, because the log entry is created from the login shells of those users.

One more reason to consider using  syslog (even remote syslog to inhibit local root access)..

For csh/tcsh users you will have to add the logging command to /etc/csh.login or /etc/csh.cshrc.

Besides that, the syntax must be slightly different.

File:

if $?OUSER then
   echo "`date` Remote user $OUSER logged in as local user $USER from $SSH_CLIENT" >> /var/log/ssh_access.log
endif

Syslog:

if $?OUSER then
   logger -t ssh_access -p auth.info "Remote user $OUSER logged in as local user $USER from $SSH_CLIENT"
endif
0
 

Author Closing Comment

by:nokyplease
ID: 39273554
thanks
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question