SSH FingerprintLogging: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
(Die Seite wurde neu angelegt: „Kategorie:SSH Kategorie:Bash =Why logging fingerprints?= It is just for the possibility of setting the Bash HISTFILE per logged in user. ==The Auth…“)
 
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Kategorie:SSH]]
[[Category:SSH|Fingerprint]]
[[Kategorie:Bash]]
[[Category:Bash|Fingerprint]]
=Why logging fingerprints?=
=SSH Fingerprintlogging=
==Why logging fingerprints?==
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
It is just for the possibility of setting the [[Bash]] HISTFILE per logged in user.
==The AuthorizedKeysCommand==
* /opt/sbin/fingerprintlog:
<source lang=bash>
#!/bin/bash
# /opt/sbin/fingerprintlog <logfile> %u %k %t %f
# Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
#  %% is replaced by a literal '%',
#  %u is replaced by the username being authenticated,
#  %h is replaced by the home directory of the user being authenticated,
#  %t is replaced with the key type offered for authentication,
#  %f is replaced with the fingerprint of the key, and
#  %k is replaced with the key being offered for authentication.
#  If no arguments are specified then the username of the target user will be supplied.
[ "_${LOGNAME}_" != "_daemon_" ] && exit 1
LOGFILE=$1
USER=$2
KEY=$3
KEYTYPE=$4
FINGERPRINT=$5
printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
</source>
<source lang=bash>
# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog
</source>
==Create the logfile==
* /var/log/fingerprint.log
<source lang=bash>
# touch /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log
</source>
==Setup logrotation==
* /etc/logrotate.d/fingerprintlog
<source lang=bash>
/var/log/fingerprint.log
{
        su daemon syslog
        create 0640 daemon ssh-user
        rotate 8
        weekly
        missingok
        notifempty
}
</source>
==Add fingerprint logging to sshd==
* /etc/ssh/sshd_config
<source lang=bash>
...
DenyUsers daemon
AuthorizedKeysCommand          /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
AuthorizedKeysCommandUser      daemon
...
</source>
Restart sshd
<source lang=bash>
# systemctl restart ssh.service
</source>
==Add magic to your .bashrc==
==Add magic to your .bashrc==
<source lang=bash>
* ~/.bashrc
# apt install gawk
Not fully working... wait...
</source>


* ~/.bashrc
<syntaxhighlight lang=bash>
<source lang=bash>
...
...
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="${PPID}" -v user=${LOGNAME} 'BEGIN{split(ssh_connection,connection);}$5 ~ "PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; } )
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...
...
</source>
</syntaxhighlight>

Latest revision as of 09:29, 14 July 2023

SSH Fingerprintlogging

Why logging fingerprints?

It is just for the possibility of setting the Bash HISTFILE per logged in user.

Add magic to your .bashrc

  • ~/.bashrc

Not fully working... wait... 

...
FINGERPRINT=$([ -z "${SSH_CLIENT}" ] || { ssh_client_array=( ${SSH_CLIENT} ); [ -z "${SSH_CLIENT}" ] || journalctl --lines=100 --grep "${ssh_client_array[0]} port ${ssh_client_array[1]}" --no-pager --quiet --unit=ssh.service | awk 'END{print $NF}' ; } )
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...
Retrieved from "https://lars.timmann.de/wiki/index.php?title=SSH_FingerprintLogging&oldid=2751"