SSH FingerprintLogging: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:SSH Fingerprint]]
[[Category:SSH|Fingerprint]]
[[Kategorie:Bash Fingerprint]]
[[Category:Bash|Fingerprint]]
=SSH Fingerprintlogging=
=SSH Fingerprintlogging=
==Why logging fingerprints?==
==Why logging fingerprints?==
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
==The AuthorizedKeysCommand==
==Add magic to your .bashrc==
* /opt/sbin/fingerprintlog:
* ~/.bashrc
<source lang=bash>
Not fully working... wait...
#!/bin/bash
# /opt/sbin/fingerprintlog <logfile> %u %k %t %f
# Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
#  %% is replaced by a literal '%',
#  %u is replaced by the username being authenticated,
#  %h is replaced by the home directory of the user being authenticated,
#  %t is replaced with the key type offered for authentication,
#  %f is replaced with the fingerprint of the key, and
#  %k is replaced with the key being offered for authentication.
#  If no arguments are specified then the username of the target user will be supplied.
 
[ "_${LOGNAME}_" != "_daemon_" ] && exit 1
LOGFILE=$1
USER=$2
KEY=$3
KEYTYPE=$4
FINGERPRINT=$5
 
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
</source>
 
<source lang=bash>
# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog
</source>


==Create the logfile==
<syntaxhighlight lang=bash>
* /var/log/fingerprint.log
<source lang=bash>
# touch /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log
</source>
==Setup logrotation==
* /etc/logrotate.d/fingerprintlog
<source lang=bash>
/var/log/fingerprint.log
{
        su daemon syslog
        create 0640 daemon ssh-user
        rotate 8
        weekly
        missingok
        notifempty
}
</source>
==Add fingerprint logging to sshd==
* /etc/ssh/sshd_config
<source lang=bash>
...
...
DenyUsers daemon
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; } )
AuthorizedKeysCommand          /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
AuthorizedKeysCommandUser      daemon
...
...
</source>
</syntaxhighlight>
Restart sshd
<source lang=bash>
# systemctl restart ssh.service
</source>


==Add magic to your .bashrc==
or
<source lang=bash>
# apt install gawk
</source>


* ~/.bashrc
<syntaxhighlight lang=bash>
<source lang=bash>
...
...
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="${PPID}" -v user=${LOGNAME} 'BEGIN{split(ssh_connection,connection);}$5 ~ "PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; })
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...
...
</source>
</syntaxhighlight>

Latest revision as of 11:57, 6 June 2024

SSH Fingerprintlogging

Why logging fingerprints?

It is just for the possibility of setting the Bash HISTFILE per logged in user.

Add magic to your .bashrc

  • ~/.bashrc

Not fully working... wait...

...
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; } )
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...

or

...
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; })
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...