SSH FingerprintLogging: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "</source" to "</syntaxhighlight")
Line 27: Line 27:


printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
</source>
</syntaxhighlight>


<source lang=bash>
<source lang=bash>
# chmod 0750 /opt/sbin/fingerprintlog
# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog
</source>
</syntaxhighlight>


==Create the logfile==
==Create the logfile==
Line 40: Line 40:
# chown daemon:ssh-user /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log
</source>
</syntaxhighlight>
==Setup logrotation==
==Setup logrotation==
* /etc/logrotate.d/fingerprintlog
* /etc/logrotate.d/fingerprintlog
Line 53: Line 53:
         notifempty
         notifempty
}
}
</source>
</syntaxhighlight>
==Add fingerprint logging to sshd==
==Add fingerprint logging to sshd==
* /etc/ssh/sshd_config
* /etc/ssh/sshd_config
Line 62: Line 62:
AuthorizedKeysCommandUser      daemon
AuthorizedKeysCommandUser      daemon
...
...
</source>
</syntaxhighlight>
Restart sshd
Restart sshd
<source lang=bash>
<source lang=bash>
# systemctl restart ssh.service
# systemctl restart ssh.service
</source>
</syntaxhighlight>


==Add magic to your .bashrc==
==Add magic to your .bashrc==
<source lang=bash>
<source lang=bash>
# apt install gawk
# apt install gawk
</source>
</syntaxhighlight>


* ~/.bashrc
* ~/.bashrc
Line 82: Line 82:
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...
...
</source>
</syntaxhighlight>

Revision as of 16:38, 25 November 2021

Fingerprint Fingerprint

SSH Fingerprintlogging

Why logging fingerprints?

It is just for the possibility of setting the Bash HISTFILE per logged in user.

The AuthorizedKeysCommand

  • /opt/sbin/fingerprintlog:

<source lang=bash>

  1. !/bin/bash
  1. /opt/sbin/fingerprintlog <logfile> %u %k %t %f
  2. Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
  3. %% is replaced by a literal '%',
  4. %u is replaced by the username being authenticated,
  5. %h is replaced by the home directory of the user being authenticated,
  6. %t is replaced with the key type offered for authentication,
  7. %f is replaced with the fingerprint of the key, and
  8. %k is replaced with the key being offered for authentication.
  9. If no arguments are specified then the username of the target user will be supplied.

[ "_${LOGNAME}_" != "_daemon_" ] && exit 1 LOGFILE=$1 USER=$2 KEY=$3 KEYTYPE=$4 FINGERPRINT=$5

printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE} </syntaxhighlight>

<source lang=bash>

  1. chmod 0750 /opt/sbin/fingerprintlog
  2. chown root:daemon /opt/sbin/fingerprintlog

</syntaxhighlight>

Create the logfile

  • /var/log/fingerprint.log

<source lang=bash>

  1. touch /var/log/fingerprint.log
  2. chown daemon:ssh-user /var/log/fingerprint.log
  3. chmod 0640 /var/log/fingerprint.log

</syntaxhighlight>

Setup logrotation

  • /etc/logrotate.d/fingerprintlog

<source lang=bash> /var/log/fingerprint.log {

       su daemon syslog
       create 0640 daemon ssh-user
       rotate 8
       weekly
       missingok
       notifempty

} </syntaxhighlight>

Add fingerprint logging to sshd

  • /etc/ssh/sshd_config

<source lang=bash> ... DenyUsers daemon AuthorizedKeysCommand /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f AuthorizedKeysCommandUser daemon ... </syntaxhighlight> Restart sshd <source lang=bash>

  1. systemctl restart ssh.service

</syntaxhighlight>

Add magic to your .bashrc

<source lang=bash>

  1. apt install gawk

</syntaxhighlight>

  • ~/.bashrc

<source lang=bash> ...

  1. Match parent PID or grand parent PID against fingerprint.log

[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="(${PPID}|$(awk '{print $4;}' /proc/${PPID}/stat))" -v user=${LOGNAME} '$5 ~ "^PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)

  1. Set the history file

export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}} ... </syntaxhighlight>