ssh-key-wtmp
This tool is meant to complement the ai3/float SSH authentication model by providing a meaningful SSH access log, and ultimately a wtmp analog that works with real admin identities.
The problem is that float's model of "root access with admin SSH keys"
does not result in useful logs: SSH logs the key fingerprint thanks to
the LogLevel VERBOSE
directive, but mapping those back to users is a
manual, complex process (among other things, SSH tooling doesn't
exactly make it easy to go from a public key string to a fingerprint).
The solution to this is a mechanism by which, on every successful SSH connection, we look up the key used, map it to an admin username via the authorized_keys comment field, and create an additional syslog entry with those.
The implementation relies on PAM, taking advantage of pam_exec to run a small logging command when a successful SSH connection is established. Hooking this up to the PAM session stage allows us to detect begin and end of the sessions (by looking at PAM_TYPE being open_session or close_session).
Something like the following, in /etc/pam.d/sshd, should be sufficient for system integration:
session optional pam_exec.so {seteuid} /usr/bin/ssh-key-wtmp
The Debian package will set this up automatically.
The major feature of the tool is logging over syslog the connection details, so that they will eventually be transfered to the centralized logging system. But it is also possible to query the local session database just as one would with the last tool: just invoking ssh-key-wtmp will list the last 100 sessions on the local host.
The tool handles reboots by starting the ssh-key-wtmp-boot.service systemd unit at boot, which looks through the wtmp database and emits close_session logs for the sessions that were active at reboot time. This ensures that all logged sessions have a matching open_session/close_session pair.
Configuration
The tool needs to retrieve the specific SSH key, that was used for authentication, from an authorized_keys file in order to retrieve its comment. It is important that the --authorized-keys-file command-line option to ssh-key-wtmp matches the AuthorizedKeysFile directive in your sshd_config. Note that the default value for this option works for the ai3/float environment, but it is not the SSH default. For that, you'll need to set:
--authorized-keys-file=".ssh/authorized_keys .ssh/authorized_keys2"