SSH FingerprintLogging: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "<source" to "<syntaxhighlight")
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:SSH|Fingerprint]]
[[Category:SSH|Fingerprint]]
[[Kategorie:Bash|Fingerprint]]
[[Category:Bash|Fingerprint]]
=SSH Fingerprintlogging=
=SSH Fingerprintlogging=
==Why logging fingerprints?==
==Why logging fingerprints?==
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
==The AuthorizedKeysCommand==
* /opt/sbin/fingerprintlog:
<syntaxhighlight lang=bash>
#!/bin/bash
# /opt/sbin/fingerprintlog <logfile> %u %k %t %f
# Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
#  %% is replaced by a literal '%',
#  %u is replaced by the username being authenticated,
#  %h is replaced by the home directory of the user being authenticated,
#  %t is replaced with the key type offered for authentication,
#  %f is replaced with the fingerprint of the key, and
#  %k is replaced with the key being offered for authentication.
#  If no arguments are specified then the username of the target user will be supplied.
[ "_${LOGNAME}_" != "_daemon_" ] && exit 1
LOGFILE=$1
USER=$2
KEY=$3
KEYTYPE=$4
FINGERPRINT=$5
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
</syntaxhighlight>
<syntaxhighlight lang=bash>
# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog
</syntaxhighlight>
==Create the logfile==
* /var/log/fingerprint.log
<syntaxhighlight lang=bash>
# touch /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log
</syntaxhighlight>
==Setup logrotation==
* /etc/logrotate.d/fingerprintlog
<syntaxhighlight lang=bash>
/var/log/fingerprint.log
{
        su daemon syslog
        create 0640 daemon ssh-user
        rotate 8
        weekly
        missingok
        notifempty
}
</syntaxhighlight>
==Add fingerprint logging to sshd==
* /etc/ssh/sshd_config
<syntaxhighlight lang=bash>
...
DenyUsers daemon
AuthorizedKeysCommand          /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
AuthorizedKeysCommandUser      daemon
...
</syntaxhighlight>
Restart sshd
<syntaxhighlight lang=bash>
# systemctl restart ssh.service
</syntaxhighlight>
==Add magic to your .bashrc==
==Add magic to your .bashrc==
<syntaxhighlight lang=bash>
* ~/.bashrc
# apt install gawk
</syntaxhighlight>


* ~/.bashrc
<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
...
...
# Match parent PID or grand parent PID against fingerprint.log
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "Accepted publickey for .* ${ssh_client_array[0]} port ${ssh_client_array[1]} ssh2:" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; })
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="(${PPID}|$(awk '{print $4;}' /proc/${PPID}/stat))" -v user=${LOGNAME} '$5 ~ "^PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
 
# Set the history file
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...
...
</syntaxhighlight>
</syntaxhighlight>
This greps the last line matching the current ssh client IP and port from ssh.service journal and sets the last field (what is the hash/fingerprint of the accepted public key) as FINGERPRINT. Then it sets the HISTFILE to whatever is set: $FINGERPRINT, $SUDO_USER or "-default".

Latest revision as of 06:36, 16 January 2025

SSH Fingerprintlogging

Why logging fingerprints?

It is just for the possibility of setting the Bash HISTFILE per logged in user.

Add magic to your .bashrc

  • ~/.bashrc
...
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "Accepted publickey for .* ${ssh_client_array[0]} port ${ssh_client_array[1]} ssh2:" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; })
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...

This greps the last line matching the current ssh client IP and port from ssh.service journal and sets the last field (what is the hash/fingerprint of the accepted public key) as FINGERPRINT. Then it sets the HISTFILE to whatever is set: $FINGERPRINT, $SUDO_USER or "-default".

Retrieved from "https://lars.timmann.de/wiki/index.php?title=SSH_FingerprintLogging&oldid=2808"