On Thu, Jan 22, 2009 at 7:03 PM, Mark Post <[email protected]> wrote: > Second, as John Summerfield has pointed out, by default no indication of what > public/private key pair was used for authentication is logged. To get _that_ > to happen, and to be able to correlate who signed in, then the default of > LogLevel INFO needs to be changed to LogLevel VERBOSE. Once that is done, > you get syslog entries such as
True. We actually made a modification to sshd to display the comments field from the key that was matched. But as I pointed out earlier in this thread, we avoided using the root account entirely (except for extreme emergencies). But this approach still has most of the problems of shared userids. When two people have both logged in as root with their own cryptic key pair, you will be mostly puzzled which of them did the things that turned out to be a problem (because the PID of the shell is not part of most auditing). With sudo you get the privileged commands in the system logging and it is much easier to understand what happened and who is to blame. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
