SSH login monitor

This program logs SSH login and logout events on the system. It keeps track of the authorized keys added to the system and calculates their fingerprints. Based on the fingerprints this monitor can tell which SSH key was used to login to the host.

For example, you may have several users who have access to the root account on the host. You add those users' public keys to /root/.ssh/authorized_keys and that gives them root access to the system. Each login and logout event is logged in the systemd journal (get them using journalctl -t sshd), but those records contain only SSH fingerprints. This program maps fingerprints to SSH public keys and logs SSH events with the public key users that are usually stored in public key comments.

The program’s log will look like this:

<nil> INF ssh event event time="2023-05-27 21:30:57 +0000 UTC" event type=login key user=alice@fedora port=44670 source ip=192.168.1.24 username=root
<nil> INF ssh event event time="2023-05-27 21:31:00 +0000 UTC" event type=logout key user=alice@fedora port=44670 source ip=192.168.1.24 username=root
<nil> INF ssh event event time="2023-05-28 16:02:55 +0000 UTC" event type=login key user=charlie@fedora port=53456 source ip=192.168.1.24 username=root
<nil> INF ssh event event time="2023-05-28 16:02:59 +0000 UTC" event type=logout key user=charlie@fedora port=53456 source ip=192.168.1.24 username=root

It shows which public key was used to login to the system (the key user field) and under which account (the username field).

Building

Prerequisites

• Go version 1.19 and higher (most likely works with earlier versions too, but I haven’t tested).

• systemd-devel (Fedora, Red Hat, CentOS) or libsystemd-dev (Debian, Ubuntu) to work with the sdjournal module

Clone this repo:

git clone https://github.com/pavelanni/ssh-login-monitor.git

Run

From the main directory run:

go run ./... -l test/secure.log -d test/fingerprints.db -a test/authorized_keys -o sum

You should see the following output:

2023/06/11 20:11:26 adding keys from file:  test/authorized_keys
2023/06/11 20:11:26 adding fingerprint for user alice@fedora
2023/06/11 20:11:26 adding fingerprint for user bob@fedora
2023/06/11 20:11:26 adding fingerprint for user charlie@fedora
root    alice@fedora    192.168.1.24    2023-04-27 10:21:19     2023-04-27 10:21:22     3s
root    bob@fedora      192.168.1.24    2023-04-27 10:21:34     2023-04-27 10:21:37     3s
root    charlie@fedora  192.168.1.24    2023-04-27 10:21:55     2023-04-27 10:21:58     3s

Build

1. Build the application:

   make build

By default it builds the binary for the system you are running the build. Most likely it’s Linux on x86_64, where you are going to use this tool.

Copy the binary from bin/slm to the system where you are going to use it.

Using

THIS IS NOT IMPLEMENTED YET

1. Collect the SSH fingerprints in the database. Specify the authorized_keys file when running this app.

   # slm -a ~/.ssh/authorized_keys

2. Run this app against a log file—​for example, /var/log/secure. It will print out the logins and logouts of each user based on the fingerprints database.

3. If you want to keep monitoring logins, run the app with the -f flag. It will constantly monitor the specified file and print out the events as they happen.

4. Output formats:

   • -o sum prints the summary of completed sessions with user names, login and logout times, session duration

   • -o log prints the log of login/logout events with usernames, times

   • -o json prints the list of login/logout events in JSON format (can be imported into another tool)

   • -o csv prints the list of login/logout events in CSV format