Hi.

I am trying to set up detailed log system for SSH logins in the server. I am planning to do the following -

1. Use ssh keys instead of password logins.( I know how to do this.). Enable 2 factor auth on the same (dont know what I can do). The scenario will be like the login person will receive OTP on his phone and then he will login.

2. I want to know what machine exactly logged into the server(maybe using keys or something) - as public IP might be same for multiple machines.

3. I want to track all the activities performed during the SSH login session.

4. Everything should be open source.

5. I also want to display a file as someone ssh into the server - to state the reason of login - and then the file will be closed and saved for later my review.

I am using Ubuntu Server 18.10

Please can anyone guide me on how do I get this implemented?

Don't expect answers to rather uncommon questions after 50 minutes. By the way, when you add a comment to your thread, the thread is removed from the zero-reply threads list, and fewer people will read it.

You could have done a bit of googling and easily find some of the answers.

Having said that, here are my answers.

I don't know about two-factor authentication, but googling that is very easy. See, for example, https://www.digitalocean.com/communi...n-ubuntu-16-04.

You find that in a log file like /var/log/auth.log on Ubuntu. You could have read the sshd man page to figure this out.
Can be done using the shell's history mechanism, but the interactive user has control over history and can also opt for running a shell that has no history.
You may want to look into auditing or tracing.

I would use the sshd log. I don't know what you mean by reason for login (perhaps the user is bored?) and how it can be figured out, but the client's IP address is logged. There must be ways to flash file content onto your screen, but personally I have not had that requirement and don't know how to achieve it.

Welcome... and slow down. Everyone here is a volunteer and we all live in different time zones. If your question is interesting to someone, you'll get an answer eventually.

Phones *ARE NOT* a second factor, just so you know. SIM spoofing is a technically trivial social engineering activity that costs almost nothing but some time. So if it is worth spending half an hour or so on, it can be done. Just ask social control media star Jack Dorsey about that.

With all that out of the way, as for question #1, you might look in the Ubuntu repository at otp in the package "heimdal-clients". It probably won't be hard to set up but there will be a lot of reading involved and you may have to delve into Pluggable Authentication Modules (PAM) in addition to the SSH server configuration to use OTP. If you are not giving out the single-use passwords in batches, then you might also have to script something in bash, perl, or python to send an SMS containing the active one-time password.

As for the auditing, look at the package auditd.

As for questinon #5, you can make a shell script to ask your question and log the answer before processing the variable SSH_ORIGINAL_COMMAND. That can be forced for a group of accounts in /etc/sshd_config using the Match and ForceCommand configuration directives. You'll have to take into account the PTY status as well and whether SFTP is being used or allowed.

Instead of SSH keys you might look at SSH certificates to further limit access.

Thank you very much for your replies. This has definitely helped me get closer towards what I am trying to do : ) .

bernbausch - I did check google alot before coming to this forum. I know about the sshd logs - but I need some way to implement such that I will get reason of logging in to server and all the logs of that login session collectively in place - or some script that will do it for me. I can do some shell scripting. If you can tell me some opensource tools that would allow me to do so or something else you may suggest.



Turbocapitalist - Thanks alot for your reply. Now after some research I am dropping the idea of 2FA over SMS on phone to - email the 2FA code. (can be implemented for free. SMS 2FA costs money). If you could answer more of my above questions - I would be greatful.

As for #2, the SSH keys or SSH certificates should be tied to accounts and roles not machines, unless you are planning on setting up host-based authentication.

As for #3, what did your readings about auditd turn up?

try this out - https://linux.die.net/man/8/auditd

Auditd operates at kernel level. So just read a bit more about it and you could implement it for your requirement #3.

Have Fun : P

1 members found this post helpful.

I probably misunderstood your point 5 - I thought you wanted a file to be displayed to YOU, the system administrator. You seem to require the client to enter the reason why they log on. I don't know how one can force the client to enter a reason, although Turbocapitalist seems to have a solution.

Don't worry. Everything we propose here is open-source, and most likely it's built into most Linux systems. I.e. no need to install something.

Thank you all very much for your help : )

I am using auditd for log related activities.

To display banner after login I am using a config file in sshd.

For 2 factor auth - I have setup a SMTP server and using a free linux email utility - mailutils to send emails( just mark mailutils mail as not spam in inboxes ). I have written a script.

To make user enter the reason before login to the server - I have written a script. Use trap logout in script if user does not write to file. or else ctrl + c will allow him to skip reason.