Re: Auditing SSH logs



On 6/4/07, Darren Tucker <dtucker@xxxxxxxxxx> wrote:
Flavio Junior wrote:
> Hi folks, good morning/afternoon/evening ;)
>
> I'll try explain my doubt, but sorry for my english..
>
> Can someone tell me if has a way to do SSHD log shows me "which" key
> has been accepted when logged as root ?
>
> Example:
> "May 31 15:15:17 lazlo sshd[12583]: Accepted publickey for root from
> 192.168.4.192 port 1835 ssh2"
>
> But ... which key has been accepted ? how can i audit something like
> it, if i have more than a single key on authorized_keys for root

Set "LogLevel verbose" in sshd_config and you'll get the key fingerprint
logged in syslog too ("Found matching RSA key: XX:XX..")

Hm...
This is, at least, an improvenment :)

But, how can i do to discover from which key is some fingerprint ?

Thanks again ;)


Flavio do Carmo Junior