#!/bin/bash
 
# /opt/sbin/fingerprintlog <logfile> %u %k %t %f
# Arguments to AuthorizedKeysCommand may be provided using the following tokens, which will be expanded at runtime:
#  %% is replaced by a literal '%',
#  %u is replaced by the username being authenticated,
#  %h is replaced by the home directory of the user being authenticated,
#  %t is replaced with the key type offered for authentication,
#  %f is replaced with the fingerprint of the key, and
#  %k is replaced with the key being offered for authentication.
#  If no arguments are specified then the username of the target user will be supplied.

[ "_${LOGNAME}_" != "_daemon_" ] && exit 1
LOGFILE=$1
USER=$2
KEY=$3
KEYTYPE=$4
FINGERPRINT=$5

printf "%s ssh-login T=%s U=%s PPID=%s FP=%s K=%s\n" "$(/bin/date -Iseconds)" "${KEYTYPE}" "${USER}" "${PPID}" "${FINGERPRINT}" "${KEY}" >> ${LOGFILE}

# chmod 0750 /opt/sbin/fingerprintlog
# chown root:daemon /opt/sbin/fingerprintlog

# touch /var/log/fingerprint.log
# chown daemon:ssh-user /var/log/fingerprint.log
# chmod 0640 /var/log/fingerprint.log

/var/log/fingerprint.log
{
        su daemon syslog
        create 0640 daemon ssh-user
        rotate 8
        weekly
        missingok
        notifempty
}

...
DenyUsers 	daemon
AuthorizedKeysCommand           /opt/sbin/fingerprintlog /var/log/fingerprint.log %u %k %t %f
AuthorizedKeysCommandUser       daemon
...

# systemctl restart ssh.service

# apt install gawk

...
# Match parent PID or grand parent PID against fingerprint.log
[ -f /var/log/fingerprint.log ] && FINGERPRINT=$(/usr/bin/gawk -v ppid="(${PPID}|$(awk '{print $4;}' /proc/${PPID}/stat))" -v user=${LOGNAME} '$5 ~ "^PPID="ppid"$" {gsub(/^FP=/,"",$6); gsub(/\//,"_",$6); print $6;exit;}' /var/log/fingerprint.log)

# Set the history file
export HISTFILE=~/.bash_history_${FINGERPRINT:-${SUDO_USER:-default}}
...