Re: Auditing SSH logs



hi,
you could be a little bit more verbose :-) or at leastr your ssh
comand :-)

ssh -v -v foo@bar will give you the fingerprint of the used key

then a ssh-add -l will give you the fingerprint and the name of the
available keys

On Fri, 2007-06-01 at 14:28 -0300, Flavio Junior wrote:
Hi folks, good morning/afternoon/evening ;)

I'll try explain my doubt, but sorry for my english..

Can someone tell me if has a way to do SSHD log shows me "which" key
has been accepted when logged as root ?

Example:
"May 31 15:15:17 lazlo sshd[12583]: Accepted publickey for root from
192.168.4.192 port 1835 ssh2"

But ... which key has been accepted ? how can i audit something like
it, if i have more than a single key on authorized_keys for root


More info about one of my boxes:

lazlo:~# cat /etc/debian_version
4.0
lazlo:~# uname -a
Linux lazlo 2.6.18-4-amd64 #1 SMP Mon Mar 26 11:36:53 CEST 2007 x86_64 GNU/Linux
lazlo:~# dpkg -l | grep ssh
ii openssh-client 4.3p2-9
Secure shell client, an rlogin/rsh/rcp repla
ii openssh-server 4.3p2-9
Secure shell server, an rshd replacement
lazlo:~# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-9

Connection closed by foreign host.
lazlo:~# grep -Ev '^$|^#' /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
lazlo:~#


Best regards,


Flávio do Carmo Junior



Relevant Pages