>>> On 1/22/2009 at 12:26 PM, Alan Altmark <[email protected]> wrote: > On Thursday, 01/22/2009 at 11:06 EST, John Summerfield > <[email protected]> wrote: > >> Auditors like to think they know who did things. If I connect to your >> system using ssh, how do you know it's me? All you know is that someone >> connected using a public key you've approved. > > Because you (should) have 'PubKeyAuthentication YES' on each server you > will access. That will cause a signature to be generated using your > matching private key, which is only on your home system(s). That, in > turn, requires you to enter the password you used during ssh-keygen.
Two notes... PubkeyAuthentication simply _allows_ (or denies) people to log in via public key authentication. It doesn't turn that authentication on or off while still allowing people to log in via those keys. The default is "yes." Second, as John Summerfield has pointed out, by default no indication of what public/private key pair was used for authentication is logged. To get _that_ to happen, and to be able to correlate who signed in, then the default of LogLevel INFO needs to be changed to LogLevel VERBOSE. Once that is done, you get syslog entries such as Jan 22 12:54:41 git390 sshd[24776]: Found matching DSA key: 20:fd:b3:0f:e3:9f:fa:e7:7c:d9:14:a4:7b:aa:dc:78 Jan 22 12:54:42 git390 sshd[24776]: Accepted publickey for root from xxx.xxx.xxx.xxx port 22663 ssh2 I don't know what all else might get generated in the logs for other events by setting LogLevel VERBOSE, but in this particular instance, not much. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
