7

Several developers using a shared account on a test server, using public key authentication. Is there any way to find out which key was used for authentication (e.g. the keys comment)?

Gyongyeee
  • 73
  • 4

4 Answers4

5

Are you wanting to find this out after something that has already happened (forensics) or are you wanting to make it so that you can log who does what?

For forensics: On my Fedora system, /var/log/secure contains records of each public key authentication and username, but doesn't say which key was used. You're probably out of luck here

For future auditability: You can use the authorized_keys file to set the commands each login is restricted to, and then run a program that logs the authentication (and possibly subsequent commands, using something like sudoscript):

If the options phrase at the beginning of a line contains the keyword command="string", then any ssh connection that authenticates using that particular key will only run the command specified, even if the command line it was given specified another command.

It must be said though, it probably makes more sense to set up multiple accounts, and then set up a shared access area...

David Fraser
  • 406
  • 6
  • 12
  • Thank you for your answer. Fortunately I need it for the future. Will this command run instead of the login shell? How can I find out which login shell is configured for the user and launch that after doing the key specific stuff? – Gyongyeee Dec 17 '09 at 19:50
  • A trivial bit of `getent` and `cut` will solve that for you. – womble Dec 17 '09 at 22:40
  • Yes it will run instead of the login shell - and womble's answer should help you there: `getent passwd $USER | cut -d: -f 7` – David Fraser Dec 18 '09 at 11:20
5

...using a shared account...

Thanks for giving us a perfect example to point to when explaining why this is a bad idea. ;-)

Seriously though, want you want cannot be done afaik. And if by "keys comment" you mean the comment that is in the id_rsa file after the key, that's a no-go too. It is a comment, it is not sent to the server on the other side.

Really. Set up multiple accounts.

wzzrd
  • 10,409
  • 2
  • 35
  • 47
  • Its not ok to switch to multiple accounts. Please check the linked comment for a secure shared account setup: http://serverfault.com/questions/14012/is-ssh-logging-capabilities-equivalent-to-su-logging-for-private-public-key-authe/14062#14062 – Gyongyeee Dec 17 '09 at 19:35
  • That comment says how to do some extra secure stuff with AuthorizedKeys, not with at shared account. – wzzrd Dec 17 '09 at 20:29
4

If you set sshd to log at a verbose enough level, the fingerprint of the key used to login is printed. Fills your logs awfully fast, though.

womble
  • 96,255
  • 29
  • 175
  • 230
1

For auditability and if your people are using ssh-agent, you could put this in your .bashrc:

SSH_KEY_NAME=$(ssh-add -L | cut -d' ' -f 3 || 'unknown')
if [[ ! $SSH_KEY_NAME ]]; then SSH_KEY_NAME="no agent"; fi
echo `/bin/date` $SSH_KEY_NAME >> ~/.login.log
Willem
  • 2,872
  • 4
  • 28
  • 35