SSH FingerprintLogging

From Lolly's Wiki
Revision as of 13:41, 17 May 2018 by Lollypop (talk | contribs)
Jump to navigationJump to search

Kategorie:SSH Fingerprint Kategorie:Bash Fingerprint

SSH Fingerprintlogging

Why logging fingerprints?

It is just for the possibility of setting the Bash HISTFILE per logged in user.

The AuthorizedKeysCommand

  • /opt/sbin/fingerprintlog:
# /opt/sbin/fingerprintlog <logfile> %u %k %t %f
# Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
#  %% is replaced by a literal '%',
#  %u is replaced by the username being authenticated,
#  %h is replaced by the home directory of the user being authenticated,
#  %t is replaced with the key type offered for authentication,
#  %f is replaced with the fingerprint of the key, and
#  %k is replaced with the key being offered for authentication.
#  If no arguments are specified then the username of the target user will be supplied.

[ "_${LOGNAME}_" != "_daemon_" ] && exit 1

printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}
# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog

Create the logfile

  • /var/log/fingerprint.log
# touch /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log

Setup logrotation

  • /etc/logrotate.d/fingerprintlog
        su daemon syslog
        create 0640 daemon ssh-user
        rotate 8

Add fingerprint logging to sshd

  • /etc/ssh/sshd_config
DenyUsers 	daemon
AuthorizedKeysCommand           /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
AuthorizedKeysCommandUser       daemon

Restart sshd

# systemctl restart ssh.service

Add magic to your .bashrc

# apt install gawk
  • ~/.bashrc
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="${PPID}" -v user=${LOGNAME} 'BEGIN{split(ssh_connection,connection);}$5 ~ "PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}