On Tue, Jan 24, 2006 at 04:31:39PM -0700, Spruell, Darren-Perot wrote:
> From: Joachim Schipper [mailto:[EMAIL PROTECTED]
> > > Our situation is that we have a user account that multiple
> > people have
> > > access to log into to retrieve files. Each user
> > authenticates to that
> > > account with their own SSH key. Current log entry shows:
> > >
> > > Jan 24 11:01:20 sftp sshd[23555]: Accepted publickey for
> > transfers from
> > > 10.2.58.44 port 1420 ssh2
> > >
> > > Would be useful to have information logged for the
> > connection identifying
> > > the key used to authenticate, by the key comment if
> > possible. Does sshd
> > > already have this capability? Would anyone consider this a
> > useful feature
> > > addition?
> >
> > Only if you can provide a good reason this can not be implemented as a
> > couple of users and a shared group, combined with a group-writable
> > directory.
>
> We require that the users be chroot'd to the home directory, so we'd
> probably have to break the chroot to have a commonly writable directory...?
I don't know what method you use for that, but quite a few are flawed.
It's not part of stock sshd last I checked, either. (Though it'd be
neat.)
Anyway, create a /home/workgroup in which to chroot,
/home/workgroup/shared for the group-writable documents, and
/home/workgroup/dave and so on for the users. This, of course, breaks as
soon as someone is in more than two groups (some hacks might still be
possible, but this will soon grow out of control).
> > However, as to an actual solution, use the command= syntax in
> > authorized_keys (see sshd(8), under 'AUTHORIZED_KEYS FILE FORMAT', as
> > was pointed out to me on misc@ this week) to differentiate
> > between keys,if desired.
>
> It's not occuring how a command= option could be used to provide logging of
> which key was used to authenticate as that user. What did you have in mind?
Something like
command="/usr/local/bin/logme dave",no-port-forwarding,no-X11-forwarding
---hexblob for the key--- dave
With
#!/bin/ksh
/usr/bin/logger -t "Dave logged in"
exec $SHELL
Of course, a compiled version of the above resists problems with the
environment scrubbing a lot better, and might be preferable.
This is not perfect though, as it is possible to run ssh without
executing a command. no-port-forwarding and no-X11-forwarding take away
any useful application of this, as far as I know.
It is also inconvenient, as I rather like the ability to run a quick
command on a remote host, but it does work.
Joachim
