|
|
| Line 4: |
Line 4: |
| ==Why logging fingerprints?== | | ==Why logging fingerprints?== |
| It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user. | | It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user. |
| ==The AuthorizedKeysCommand==
| |
| * /opt/sbin/fingerprintlog:
| |
| <syntaxhighlight lang=bash>
| |
| #!/bin/bash
| |
|
| |
| # /opt/sbin/fingerprintlog <logfile> %u %k %t %f
| |
| # Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
| |
| # %% is replaced by a literal '%',
| |
| # %u is replaced by the username being authenticated,
| |
| # %h is replaced by the home directory of the user being authenticated,
| |
| # %t is replaced with the key type offered for authentication,
| |
| # %f is replaced with the fingerprint of the key, and
| |
| # %k is replaced with the key being offered for authentication.
| |
| # If no arguments are specified then the username of the target user will be supplied.
| |
|
| |
| [ "_${LOGNAME}_" != "_daemon_" ] && exit 1
| |
| LOGFILE=$1
| |
| USER=$2
| |
| KEY=$3
| |
| KEYTYPE=$4
| |
| FINGERPRINT=$5
| |
|
| |
| printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
| |
| </syntaxhighlight>
| |
|
| |
| <syntaxhighlight lang=bash>
| |
| # chmod 0750 /opt/sbin/fingerprintlog
| |
| # chown root:daemon /opt/sbin/fingerprintlog
| |
| </syntaxhighlight>
| |
|
| |
| ==Create the logfile==
| |
| * /var/log/fingerprint.log
| |
| <syntaxhighlight lang=bash>
| |
| # touch /var/log/fingerprint.log
| |
| # chown daemon:ssh-user /var/log/fingerprint.log
| |
| # chmod 0640 /var/log/fingerprint.log
| |
| </syntaxhighlight>
| |
| ==Setup logrotation==
| |
| * /etc/logrotate.d/fingerprintlog
| |
| <syntaxhighlight lang=bash>
| |
| /var/log/fingerprint.log
| |
| {
| |
| su daemon syslog
| |
| create 0640 daemon ssh-user
| |
| rotate 8
| |
| weekly
| |
| missingok
| |
| notifempty
| |
| }
| |
| </syntaxhighlight>
| |
| ==Add fingerprint logging to sshd==
| |
| * /etc/ssh/sshd_config
| |
| <syntaxhighlight lang=bash>
| |
| ...
| |
| DenyUsers daemon
| |
| AuthorizedKeysCommand /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
| |
| AuthorizedKeysCommandUser daemon
| |
| ...
| |
| </syntaxhighlight>
| |
| Restart sshd
| |
| <syntaxhighlight lang=bash>
| |
| # systemctl restart ssh.service
| |
| </syntaxhighlight>
| |
|
| |
| ==Add magic to your .bashrc== | | ==Add magic to your .bashrc== |
| <syntaxhighlight lang=bash>
| |
| # apt install gawk
| |
| </syntaxhighlight>
| |
|
| |
| * ~/.bashrc | | * ~/.bashrc |
| <syntaxhighlight lang=bash> | | <syntaxhighlight lang=bash> |
| ... | | ... |
| # Match parent PID or grand parent PID against fingerprint.log
| | FINGERPRINT=$(ssh_client_array=( ${SSH_CLIENT} ); journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}') |
| [ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="(${PPID}|$(awk '{print $4;}' /proc/${PPID}/stat))" -v user=${LOGNAME} '$5 ~ "^PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
| |
| | |
| # Set the history file
| |
| export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} | | export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} |
| ... | | ... |
| </syntaxhighlight> | | </syntaxhighlight> |
