LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-19-2010, 11:27 PM   #1
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Rep: Reputation: 1
Mapping Authorized Keys Enrty to sshd process


When a user that has rsa public key set in ~/.ssh/authorized_keys file logs in via ssh an sshd process is started to handle the ssh session.

Periodically we audit the authorized keys and remove them from the system and authorized_keys file. This means the next log in attempt will fail, which is fine.

However we need to terminate current ssh sessions in progress that use the rsa key.

I have not been able to determine a way to map sshd processes with authorized_keys entries.

Any help would be appreciated.
 
Old 12-20-2010, 03:41 AM   #2
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 200

Rep: Reputation: 30
Quote:
I have not been able to determine a way to map sshd processes with authorized_keys entries.
What have you tried already?
 
Old 12-20-2010, 05:23 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I just tried to do this myself and unless there is some magic short cut that I don't see, this task isn't as simple as it may seem at first. It takes a little bit of manual log cross checking and few other commands but you may be able to tie them together. What I did and what I found are shown below:

I logged into my server via rsa key. Then on the server, I looked in /var/log/auth.log and saw the user name, the IP address, and the process ID, e.g. sshd[3878] with 3878 being the PID. Then using 'ps -aux' I found the following:
Code:
root      3878  0.0  0.1 108908  4828 ?        Ss   05:03   0:00 sshd: myuserid [priv]
Indicating that this is the PS to kill. If this is enough information, your done. However, taking it a step further ...
Doing an nslookup of the IP address obtained in auth.log gave me the hostname of the machine I logged in from. Note, I use DDNS on my LAN with forward and reverse zones so I am able to resolve the host name and I am assuming you have a imilar mechanism to do this. Next, given the host name, it was trivial to find the line in authorized_keys. ** However, I have seen a lot of keys that do NOT have a hostname associated with them at the end of the line **. I am not sure how you would correlate them to a machine if you do not, unless you keep a list or log of the public keys and from which machine they are associated.
 
Old 12-20-2010, 05:26 AM   #4
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Mapping Authorized Keys Enrty to sshd process

Objective: given an rsa key (that exists in a users .ssh/authorized_keys) how can we determine which currently running ssh sessions belong to that user, so we can terminate the ssh sessions. I have looked at the following to try and find a mapping.

The sshd processes (lsof and environment)to see if any authorized rsa keys are stored. No such luck.

~.ssh/rc file. Here I can determine the shell pid and hence the parent being the sshd. However cannot get access to the rsa key being used.

Noticed /var/log/messages has the following finger print entry (so could hold mapping from rsa key to finger print via ssh-keygen) but no guarentee the messages file has not been aged hence not a good option to scan. So would need to set up monitor of messages file. Yuk.
sshd[18126]: Found matching RSA key: bd:35:de:0d:4e:bf:af:82:60:66:f2:f9:9f:2d:dc:4d
 
Old 12-20-2010, 05:35 AM   #5
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Mapping Authorized Keys Enrty to sshd process

Sorry Norway2 I missed your response.

If you start with an rsa/dsa key could you still track this to the sshd pid. Its this direction I need to map.

Note: In our environment many users can login from the same machine (they have their own PKI certificates of which teh rsa key is added to authorized_keys) so authorized-keys for user may have many keys with the same IP address. I agree the IP adresses(s) may also be missing.

Last edited by william.groom; 12-20-2010 at 05:42 AM.
 
Old 12-20-2010, 05:42 AM   #6
djsmiley2k
Member
 
Registered: Feb 2005
Location: Coventry, UK
Distribution: Home: Gentoo x86/amd64, Debian ppc. Work: Ubuntu, SuSe, CentOS
Posts: 343
Blog Entries: 1

Rep: Reputation: 72
Do you know the username? If so...

ps -u <username> | grep sshd

Will give you the pid of any open ssh connections to that user. I presume if your removing keys then the user is aware of this (as they'd have to start using a new key) and will understand when you kill their ssh session (If you wanted, you could 'write' something to their terminal to warn them first).

However I can't see any simple way of associating keys to users, other than the fact they are stored in the users authorized_keys folder...
 
Old 12-20-2010, 05:43 AM   #7
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
And another question: why do you want to terminate these sessions? The ssh-keys are only used for authentication. You could scan the messages file though for entries of public key .
 
Old 12-20-2010, 05:48 AM   #8
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by djsmiley2k View Post
Do you know the username? If so...

ps -u <username> | grep sshd

Will give you the pid of any open ssh connections to that user. I presume if your removing keys then the user is aware of this (as they'd have to start using a new key) and will understand when you kill their ssh session (If you wanted, you could 'write' something to their terminal to warn them first).

However I can't see any simple way of associating keys to users, other than the fact they are stored in the users authorized_keys folder...
We have multiple users that log on to a single users X account. They are allowed to access the system provided their rsa key exists in the users X authorized_keys. They will not know they have been removed. We cannot kill all processes associated with user X since other valid users are still accessing the system.
 
Old 12-20-2010, 05:52 AM   #9
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by Reuti View Post
And another question: why do you want to terminate these sessions? The ssh-keys are only used for authentication. You could scan the messages file though for entries of public key .
We have a requirement that when a users certificate is revoked then any ssh sessions active by that user must be terminated.
So we can remove the rsa key from authorized keys (easily done)that stops the user logging in again, but user may be logged in already when certificate is revoked. Hence need to terminate these sessions
 
Old 01-04-2011, 08:08 AM   #10
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by william.groom View Post
We have a requirement that when a users certificate is revoked then any ssh sessions active by that user must be terminated.
So we can remove the rsa key from authorized keys (easily done)that stops the user logging in again, but user may be logged in already when certificate is revoked. Hence need to terminate these sessions
The only solution I came up with was marking each authorized_keys entry with a unique environment variable. This is passed to /etc/ssh/ssh_rc script that extracts teh pid of the shell and enters the pid plus the tag to a file. Hence when removing entries from authorized_keys you can use teh tag to look up the pid(s) and kill these sessions.
 
Old 01-04-2011, 08:32 AM   #11
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Great that you found a way.

BTW: I just recall a comment I read somewhere, that also someone else complained about a missing "revoke" feature for ssh-keys in SSH. I.e., you know a public keys is faulty, and you don't want to accept it at all (or in your case quit all active sessions with it). What I miss in addition is some option to see in the public keys on my server, whether their private counterparts are passphraseless and also don't allow them.
 
Old 01-04-2011, 09:01 AM   #12
william.groom
LQ Newbie
 
Registered: Jan 2005
Posts: 7

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by Reuti View Post
Great that you found a way.

BTW: I just recall a comment I read somewhere, that also someone else complained about a missing "revoke" feature for ssh-keys in SSH. I.e., you know a public keys is faulty, and you don't want to accept it at all (or in your case quit all active sessions with it). What I miss in addition is some option to see in the public keys on my server, whether their private counterparts are passphraseless and also don't allow them.
Thanks. Another way to see match the public key with the user is to look at the finger print.
Turn on sshd_config VERBOSE. You will see the fingerprint in /var/log/messages.
You can then have a script to read the rsa keys from ~user/.ssh/authorized_keys file and pass the information to the open ssl command. EG openssl -l -f <file with public key>.
This displays the fingerprint which you can match against the messages file.

Not sure if this helps, but to see the public keys I thought you could pass the a certificate.pen to openssl commands to extract the public key.

# generate public key part from private key
openssl rsa -in key.pem -pubout -out pubkey.pem

# displaying certificate fingerprint
openssl x509 -in key.pem -noout -fingerprint
SHA1 Fingerprint=7D:32:35:9F:1D:E7:7B0:AC:43:FA:85:56:44:1E:2E:F9:B5:40:AA
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh authorized keys from one directory to another directory did not worked tkmsr Linux - Software 4 10-25-2010 09:28 AM
Setting up authorized keys Elguapo Linux - Newbie 3 09-20-2008 08:37 AM
Quiet sshd using keys Kdr Kane Linux - Security 7 08-30-2005 12:54 PM
sshd keys jrtayloriv Linux - Newbie 6 03-14-2005 06:43 PM
mapping keyboard keys fedetxf Linux - Newbie 1 03-23-2004 09:49 PM


All times are GMT -5. The time now is 08:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration