14

Is this possible to customize auth.log about which key was used?

view full story
linux-howto

http://unix.stackexchange.com – I use a classical pair of private/public key in order to connect into servers. For now, we have one dedicated account, let's say foo, which is used by multiple users, each with their own pairs of public/private keys. I am looking for a way to log which user authenticated on this foo account. For now, I manage to found that if I raise LogLevel to VERBOSE in /etc/ssh/sshd_config, ssh log the *fingerprint of the public key in /var/log/auth.log. It looks like this : Apr 2 18:33:15 xxx-yy sshd[32064]: Connection from A.B.C.D port 43286 Apr 2 18:33:15 xxx-yy sshd[32064]: Found matching RSA (HowTos)

Songlist's picture
Submitted by Songlist on 04/02/2012 – Made popular on 04/02/2012

Stories similar to Is this possible to customize auth.log about which key was used?

Are there any security-related concerns with using the same ssh public/private key pair to logon to multiple remote systems from multiple local systems? In other words, generate a single public/private key pair for my own use, distribute the key pair to my account on all of the systems I want to login from, and copy the public key to all of the remote systems I want to login to.

First, sorry if this question has already been asked/answered - I've searched but perhaps I haven't recognised the answer....

What we have is a cluster of servers which need to access a single remote server using sftp.

We are migrating from one remote server to another at the same (remote) location.

We also want to refresh the public/private key pairs on the configuration as part of an ongoing

I have a debian box that I connect to via SSH. I have removed the password from the users root, and my personal account using the instructions here, and set up a public/private key pair so I can log in, but only if I have the private key.

I recently ran cat /etc/passwd in order to see what other users where on the system, and got a fair list back.

Connection closed [preauth] 21 weeks 5 days ago

On a Ubuntu 12.04 server, I am getting the following pair of messages in auth.log several times a minute:

Jan 17 22:04:25 binx sshd[14659]: Connection closed by 192.168.0.1 [preauth] Jan 17 22:04:25 binx sshd[14661]: Connection closed by 192.168.0.5 [preauth]

Both those IP addresses belong to separate computers (192.168.0.1 is our firewall/router, 192.168.0.5 is our backup machine), and seem to

I've read in various places, such as in this question that using an ssh key pair without a passphrase allows attackers to steal your private key if they gain access to your account. I assumed that by "steal" it meant they could fairly easily do a brute-force attack to try every possible private key until they found one that matched the public key stored in your account.

[ubuntu] Was I hacked? 6 weeks 5 days ago

Hi all.

I notice some weird behavior in the computer from my work and it seems like someone was trying to hack in, but I'm not sure if he got through. The problem is that we have installed an ssh server in this pc and somebody (from work) created a account with an easy password and a hacker got access through this account.

I have some servers in the DMZ that receive public traffic from an external (public) IPv4 address. This is translated at our gateway to a 172.x.x.x address.

All external clients are using local accounts and are chrooted.

I'm done setting up ssh login using public/private key pair. I have my id_rsa (private key) in my ~/.ssh directory and also still have id_rsa.pub (public key) in the same directory.

Hopefully you guys can help and see if I've done something weird here, I'm trying to log in with a user I set up, FileZilla shows me:

Command: open "///@///" Command: Pass: ******** Status: Connected to /// Error: Connection closed by server with exitcode 1 Error: Could not connect to server

So, I went into auth.log and I see this:

Feb 12 11:08:49 sshd[12056]: Accepted password for /// fr