On Wed, Nov 30, 2011 at 5:13 PM, Kat <[email protected]> wrote: > Ok this one has me stumped and I am not sure it can be done. > > I have a dozen or so accounts using ssh keys. Pretty normal. I want to > set an alert only if one of these accounts suddenly starts asking for > a password? Any ideas?
ssh reports differently for the two cases: Nov 27 23:09:45 wasp sshd[8999]: Accepted password for wakka from 127.0.0.1 port 33008 ssh2 Nov 27 23:39:37 wasp sshd[6929]: Accepted publickey for wakka from 127.0.0.1 port 47951 ssh2 so I'm pretty sure it can be done. You could trigger for "Accepted password" with a higher alert level. Or you can get fancy and fulfill your second requirement - by grouping on the user names that are only logging in thru ssh keys. 0k
