Is there a way how you can check what auth method the user which just logged in to an account were using?
I like to print out a warning after login if someone is using a password instead of a keyfile.
Sure one solution is to check the ssh-logs. But is there a nicer way to do this? Since looking up logs could impact performance depending on the log size and method you use to gather this information.
We are using SUSE and Ubuntu.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You could add a directive to the authorized_keys entry for a key to add a value to the environment for sessions where that key was used. This is from the sshd documentation:
environment=”NAME=value”
Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted. Environment processing is disabled by default and is controlled via the PermitUserEnvironment option.
So the authorized_keys entry might look like this:
environment="SSHKEY=bob_key" ssh-rsa AAAAB3NzaC...iQ== <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9bf9f4f9dbf9f4f9e8ebf8">[email protected]</a>
When the user’s .bashrc runs, the presence or absence of the SSHKEY variable would indicate whether that particular key was used to authenticate or not.
This is obviously not a general-purpose solution. You’d have to annotate every key entry in every authorized_keys file with this directive. And the user could subvert the check if he had access to alter his .bashrc, authorized_keys, or .ssh/rc files.
Method 2
The shell doesn’t know (or care) how you authenticated. sshd will log messages, if configured (via SyslogFacility and LogLevel), to a configurable location (syslog/rsyslog), so you will have to check those logs, if they exist, to find out how the user authenticated.
Look in those logs for:
... sshd[...]: Accepted keyboard-interactive/pam for $USER from ... port ...
or
... sshd[...]: Accepted publickey for $USER from ... port ...
to determine whether they used password (keyboard-interactive) or key authentication.
You might consider summarizing the sshd logs and sending a separate report (via email?) to the users who have logged in via password recently.
Method 3
Newer versions of OpenSSH (I think starting with 7.6) allow the configuration option ExposeAuthenticationMethods. If set to pam-and-env, you can get an environment variable SSH_USER_AUTH set that includes information about the authentication method(s) used. This may include multiple values, when multi-factor authentication is utilized. The default setting (consistent with earlier OpenSSH versions) is never, implying that you would need to resort to log scanning or other methods, if you cannot alter sshd_config or are running an earlier OpenSSH version.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0