We have an environment where multiple users access the same server using the same functional account. This is by design and works well for our needs.
The authentication is done through the keys stored in the ~/.ssh/authorized_keys file. My problem happens when I logon to the server and I notice someone is doing some action but I don't know who it is.
My question is: Is it possible to intersept when someone logs in to the server and write into a logfile something like this:
<timestamp> <fingerprint from authorized_keys file> <functional account name>
Regards
If you want to detect the currently used ssh key from within the current ssh session, then it seems there’s a better way since OpenSSH 7.6:
Set
ExposeAuthInfo yesin your server’s sshd_config. You should be able to limit this configuration to a specific user viaMatch User geoaxis.Then, after restarting
sshdand re-login, there should be an environment variableSSH_USER_AUTHthat contains the path to a file with authentication information. In case of public key authentication this file contains the full public key prefixed with the stringpublickey.This way you don’t need to manually add environment variables to your
~/.ssh/authorized_keys.