On 11/30/2011 08:32 PM, Kacper Wysocki wrote:
On Wed, Nov 30, 2011 at 5:13 PM, Kat<[email protected]> wrote:
Ok this one has me stumped and I am not sure it can be done.
I have a dozen or so accounts using ssh keys. Pretty normal. I want to
set an alert only if one of these accounts suddenly starts asking for
a password? Any ideas?
ssh reports differently for the two cases:
Nov 27 23:09:45 wasp sshd[8999]: Accepted password for wakka from
127.0.0.1 port 33008 ssh2
Nov 27 23:39:37 wasp sshd[6929]: Accepted publickey for wakka from
127.0.0.1 port 47951 ssh2
Why don't you setup sshd to ONLY accept the key and NOT the password?
so I'm pretty sure it can be done.
You could trigger for "Accepted password" with a higher alert level.
Or you can get fancy and fulfill your second requirement - by grouping
on the user names that are only logging in thru ssh keys.
0k
--
Dennis Golden
Golden Consulting Services, Inc.
