SSH FingerprintLogging: Difference between revisions
m (Text replacement - "</source" to "</syntaxhighlight") |
|||
| Line 27: | Line 27: | ||
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE} | printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE} | ||
</ | </syntaxhighlight> | ||
<source lang=bash> | <source lang=bash> | ||
# chmod 0750 /opt/sbin/fingerprintlog | # chmod 0750 /opt/sbin/fingerprintlog | ||
# chown root:daemon /opt/sbin/fingerprintlog | # chown root:daemon /opt/sbin/fingerprintlog | ||
</ | </syntaxhighlight> | ||
==Create the logfile== | ==Create the logfile== | ||
| Line 40: | Line 40: | ||
# chown daemon:ssh-user /var/log/fingerprint.log | # chown daemon:ssh-user /var/log/fingerprint.log | ||
# chmod 0640 /var/log/fingerprint.log | # chmod 0640 /var/log/fingerprint.log | ||
</ | </syntaxhighlight> | ||
==Setup logrotation== | ==Setup logrotation== | ||
* /etc/logrotate.d/fingerprintlog | * /etc/logrotate.d/fingerprintlog | ||
| Line 53: | Line 53: | ||
notifempty | notifempty | ||
} | } | ||
</ | </syntaxhighlight> | ||
==Add fingerprint logging to sshd== | ==Add fingerprint logging to sshd== | ||
* /etc/ssh/sshd_config | * /etc/ssh/sshd_config | ||
| Line 62: | Line 62: | ||
AuthorizedKeysCommandUser daemon | AuthorizedKeysCommandUser daemon | ||
... | ... | ||
</ | </syntaxhighlight> | ||
Restart sshd | Restart sshd | ||
<source lang=bash> | <source lang=bash> | ||
# systemctl restart ssh.service | # systemctl restart ssh.service | ||
</ | </syntaxhighlight> | ||
==Add magic to your .bashrc== | ==Add magic to your .bashrc== | ||
<source lang=bash> | <source lang=bash> | ||
# apt install gawk | # apt install gawk | ||
</ | </syntaxhighlight> | ||
* ~/.bashrc | * ~/.bashrc | ||
| Line 82: | Line 82: | ||
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} | export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} | ||
... | ... | ||
</ | </syntaxhighlight> | ||
Revision as of 16:38, 25 November 2021
SSH Fingerprintlogging
Why logging fingerprints?
It is just for the possibility of setting the Bash HISTFILE per logged in user.
The AuthorizedKeysCommand
- /opt/sbin/fingerprintlog:
<source lang=bash>
- !/bin/bash
- /opt/sbin/fingerprintlog <logfile> %u %k %t %f
- Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
- %% is replaced by a literal '%',
- %u is replaced by the username being authenticated,
- %h is replaced by the home directory of the user being authenticated,
- %t is replaced with the key type offered for authentication,
- %f is replaced with the fingerprint of the key, and
- %k is replaced with the key being offered for authentication.
- If no arguments are specified then the username of the target user will be supplied.
[ "_${LOGNAME}_" != "_daemon_" ] && exit 1 LOGFILE=$1 USER=$2 KEY=$3 KEYTYPE=$4 FINGERPRINT=$5
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE} </syntaxhighlight>
<source lang=bash>
- chmod 0750 /opt/sbin/fingerprintlog
- chown root:daemon /opt/sbin/fingerprintlog
</syntaxhighlight>
Create the logfile
- /var/log/fingerprint.log
<source lang=bash>
- touch /var/log/fingerprint.log
- chown daemon:ssh-user /var/log/fingerprint.log
- chmod 0640 /var/log/fingerprint.log
</syntaxhighlight>
Setup logrotation
- /etc/logrotate.d/fingerprintlog
<source lang=bash> /var/log/fingerprint.log {
su daemon syslog
create 0640 daemon ssh-user
rotate 8
weekly
missingok
notifempty
} </syntaxhighlight>
Add fingerprint logging to sshd
- /etc/ssh/sshd_config
<source lang=bash> ... DenyUsers daemon AuthorizedKeysCommand /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f AuthorizedKeysCommandUser daemon ... </syntaxhighlight> Restart sshd <source lang=bash>
- systemctl restart ssh.service
</syntaxhighlight>
Add magic to your .bashrc
<source lang=bash>
- apt install gawk
</syntaxhighlight>
- ~/.bashrc
<source lang=bash> ...
- Match parent PID or grand parent PID against fingerprint.log
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="(${PPID}|$(awk '{print $4;}' /proc/${PPID}/stat))" -v user=${LOGNAME} '$5 ~ "^PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
- Set the history file
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} ... </syntaxhighlight>
