Can I audit user activity on a linux system when users login as a shared user using an ssh identity?
Question
Let's say I have a user "appuser" on a linux system with a number of public keys set up in their authorized_keys file where several different people can log in as "appuser".
When I log in using my private key that is linked to my public key, is what I do as the "appuser" traceable back to me? (I want it to be). If the activity is not traceable back to the identity of the user that logged in as app user, is there a way to make it traceable back to that identity?
1 answers
solution1
0 2012-08-28 18:01:36
The authorized_keys file allows for some options, including 'command' which will call a program or script you can write. I haven't tried this, but you might be able to perform whatever actions you need to in the script and then exec bash (or your shell of choice).
Another way you can match logins with keys is to turn LogLevel in sshd_config to VERBOSE and grep /var/log/secure (or whatever AUTHPRIV messages are going to) for 'Found matching .* key'. You can run the key found in the 'Found matching' line through 'ssh-keygen -l -f' which will dump the matching entry in authorized_keys.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.