Skip to content
Snippets Groups Projects

ssh-key-wtmp

This tool is meant to complement the ai3/float SSH authentication model by providing a meaningful SSH access log, and ultimately a wtmp analog that works with real admin identities.

The problem is that float's model of "root access with admin SSH keys" does not result in useful logs: SSH logs the key fingerprint thanks to the LogLevel VERBOSE directive, but mapping those back to users is a manual, complex process (among other things, SSH tooling doesn't exactly make it easy to go from a public key string to a fingerprint).

The solution to this is a mechanism by which, on every successful SSH connection, we look up the key used, map it to an admin username, and create an additional syslog entry with those.

The implementation relies on PAM, taking advantage of pam_exec to run a small logging command when a successful SSH connection is established. Hooking this up to the PAM session stage allows us to detect begin and end of the sessions (by looking at PAM_TYPE being open_session or close_session).

Something like the following, in /etc/pam.d/sshd, should be sufficient for system integration:

session   optional   pam_exec.so {seteuid} /usr/bin/ssh-key-wtmp

The major feature of the tool is logging over syslog the connection details, so that they will eventually be transfered to the centralized logging system. But it is also possible to query the local session database just as one would with the last tool: just invoking ssh-key-wtmp will list the last 100 sessions on the local host.

The tool handles reboots by starting the ssh-key-wtmp-boot.service systemd unit at boot, which looks through the wtmp database and emits close_session logs for the sessions that were active at reboot time. This ensures that all logged sessions have a matching open_session/close_session pair.