Find the answer to your Linux question:
Results 1 to 3 of 3
Hi all, I wanted to secure my host servers completely, all are Centos-cPanel running servers. One of the basic thing is SSH. They are currently enabled with keyauthentication and password ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2013
    Posts
    9

    Lightbulb How to check which user with public key has logged in server via ssh?


    Hi all, I wanted to secure my host servers completely, all are Centos-cPanel running servers. One of the basic thing is SSH. They are currently enabled with keyauthentication and password authentication is disabled on the other hand. I have few admins working under me for managing my servers, and all of them got root privilege using key based authentication. They got their own public keys and added in all of my servers in the file /root/.ssh/authorized_keys

    Now I am just curious and wanted to know how I can check which user login in with which public key of them. All I can see in the /var/log/secure log is as follows:

    =============
    Jul 14 02:48:05 serverxxx sshd[428512]: Accepted publickey for root from 192.x.x.x port 59445 ssh2
    Jul 14 02:48:17 serverxxx sshd[428512]: Received disconnect from 192.x.x.x: 11: disconnected by user
    =============

    I did not find it that useful. Yes offcourse we get the IP here, but all of my users are using dynamic IPs and different ISPs, so it changes everytime. Is there anyway to check which public key has accessed root via ssh??

    I already tried enabling "LogLevel INFO" and "LogLevel VERBOSE" in the sshd_config after checking some public urls, but nothing changes of logging in secure log.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,390
    LogLevel VERBOSE requires a sshd restart.
    And it does work, I just verified that on a debian wheezy.

    However, I would suggest to deny remote root login altogether and instead have a personalized account for each user.
    This has advantages
    - each user can have his/her own environment (favourite editor, shell, etc)
    - each admin user can escalate via sudo config
    - you need three tokens instead of two to gain root, which increases security: keypair and passphrase vs keypair, passphrase and user password

    Local root login should still work, in case user logins are unavailable for whatever reason or if there is need to boot into init 1.


    And while admin logins are necessary for quick intervention, we have the rule to not change anything interactively via a shell.
    All modifications must be done via puppet, revisioned by git and peer reviewed.
    This way, all machines stay fully controlled and maintainable.
    aka: There will be no "uniqe snowflakes", which nobody understands anymore because of <unknown number> of modifications.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Nov 2013
    Posts
    9

    Thumbs up

    Quote Originally Posted by Irithori View Post
    LogLevel VERBOSE requires a sshd restart.
    And it does work, I just verified that on a debian wheezy.

    However, I would suggest to deny remote root login altogether and instead have a personalized account for each user.
    This has advantages
    - each user can have his/her own environment (favourite editor, shell, etc)
    - each admin user can escalate via sudo config
    - you need three tokens instead of two to gain root, which increases security: keypair and passphrase vs keypair, passphrase and user password

    Local root login should still work, in case user logins are unavailable for whatever reason or if there is need to boot into init 1.


    And while admin logins are necessary for quick intervention, we have the rule to not change anything interactively via a shell.
    All modifications must be done via puppet, revisioned by git and peer reviewed.
    This way, all machines stay fully controlled and maintainable.
    aka: There will be no "uniqe snowflakes", which nobody understands anymore because of <unknown number> of modifications.
    Hi, thanks much for the tips and tricks, really helpful. Yes I did restart sshd after enabling "LogLevel VERBOSE", but nothing changes on logging it in Centos, may be it works in debian based flavors. And I will surely consider enabling different accounts for each user and disabling direct root logins. Thanks once again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •