track SSH logins by SSH key instead of usernames
We have a handful of SSH services that all operate on the same UNIX users: git@git.tpo
is the typical one, but I believe this also applies to git@gitlab.tpo
. It certainly applies to root accounts as well.
Normally, when you login to a server PAM adds an entry to the utmp
"log" keeping track of your terminal, IP address and username, and how long you're logged in (in wtmp
). For those servers, this information is close to useless and makes audits cumbersome because you actually need to go through auth.log
and reverse-map SSH keys instead.
Friends wrote the ssh-key-wtmp PAM plugin which does this. It's not packaged in Debian, it's a bunch of golang that might be packageable however, even though it vendors a bit of code.
The way that thing works is it hooks up in PAM and writes better logs in a separate log file. It also logs the IP address used in the connexion, alongside a Maxmind GeoIP and Tor exit list lookup.