how to find ssh key in audit log file?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












3















i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:



ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106

ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo


On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:



type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'


purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).



format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!










share|improve this question
























  • The fingerprints probably do match, but you have them in two different formats.

    – Kusalananda
    Feb 20 at 9:07











  • appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

    – Francisco Sour
    Feb 20 at 9:13












  • The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

    – Kusalananda
    Feb 20 at 9:18












  • are you sure this is not server key ? not user ?

    – Archemar
    Feb 20 at 14:30











  • I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

    – Archemar
    Feb 20 at 14:34















3















i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:



ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106

ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo


On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:



type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'


purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).



format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!










share|improve this question
























  • The fingerprints probably do match, but you have them in two different formats.

    – Kusalananda
    Feb 20 at 9:07











  • appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

    – Francisco Sour
    Feb 20 at 9:13












  • The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

    – Kusalananda
    Feb 20 at 9:18












  • are you sure this is not server key ? not user ?

    – Archemar
    Feb 20 at 14:30











  • I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

    – Archemar
    Feb 20 at 14:34













3












3








3


1






i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:



ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106

ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo


On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:



type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'


purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).



format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!










share|improve this question
















i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:



ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106

ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo


On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:



type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'


purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).



format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!







linux ssh security linux-audit cloud






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 20 at 22:10







Francisco Sour

















asked Feb 20 at 8:25









Francisco SourFrancisco Sour

364




364












  • The fingerprints probably do match, but you have them in two different formats.

    – Kusalananda
    Feb 20 at 9:07











  • appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

    – Francisco Sour
    Feb 20 at 9:13












  • The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

    – Kusalananda
    Feb 20 at 9:18












  • are you sure this is not server key ? not user ?

    – Archemar
    Feb 20 at 14:30











  • I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

    – Archemar
    Feb 20 at 14:34

















  • The fingerprints probably do match, but you have them in two different formats.

    – Kusalananda
    Feb 20 at 9:07











  • appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

    – Francisco Sour
    Feb 20 at 9:13












  • The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

    – Kusalananda
    Feb 20 at 9:18












  • are you sure this is not server key ? not user ?

    – Archemar
    Feb 20 at 14:30











  • I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

    – Archemar
    Feb 20 at 14:34
















The fingerprints probably do match, but you have them in two different formats.

– Kusalananda
Feb 20 at 9:07





The fingerprints probably do match, but you have them in two different formats.

– Kusalananda
Feb 20 at 9:07













appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

– Francisco Sour
Feb 20 at 9:13






appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda

– Francisco Sour
Feb 20 at 9:13














The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

– Kusalananda
Feb 20 at 9:18






The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.

– Kusalananda
Feb 20 at 9:18














are you sure this is not server key ? not user ?

– Archemar
Feb 20 at 14:30





are you sure this is not server key ? not user ?

– Archemar
Feb 20 at 14:30













I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

– Archemar
Feb 20 at 14:34





I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.

– Archemar
Feb 20 at 14:34










1 Answer
1






active

oldest

votes


















2














I explain my solution for detect activity change of users in a server on cloud. with the requirments below:



  • client have private key with fingerprint in SHA256 x.x.x.x.x and is
    enable ssh connection.

  • on the server is enable auditing system.

  • is enable watch rules for specify folder, example /home/oracle/

for detect file modified, i follow the following steps, below an example:



ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770


770 is the number of event, thanks it i can find the session number:



ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil


session number is 58, thanks it i can find pid of login session



ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes


pid of login is 8646, i can look finger print key used from a specified user in var/log/secure



cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x





share|improve this answer
























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501790%2fhow-to-find-ssh-key-in-audit-log-file%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    I explain my solution for detect activity change of users in a server on cloud. with the requirments below:



    • client have private key with fingerprint in SHA256 x.x.x.x.x and is
      enable ssh connection.

    • on the server is enable auditing system.

    • is enable watch rules for specify folder, example /home/oracle/

    for detect file modified, i follow the following steps, below an example:



    ausearch -f
    ------------
    20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770


    770 is the number of event, thanks it i can find the session number:



    ausearch -p | grep 770
    ----------------------
    type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
    success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
    ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
    fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
    comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
    s0:c0.c1023 key=modifica_fil


    session number is 58, thanks it i can find pid of login session



    ausearch -i | grep ses=58
    ---------------------------
    type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
    subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
    (none) old-ses=4294967295 ses=58 res=yes


    pid of login is 8646, i can look finger print key used from a specified user in var/log/secure



    cat secure | grep 8646
    ----------------------
    sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
    RSA SHA256:x.x.x.x.x





    share|improve this answer





























      2














      I explain my solution for detect activity change of users in a server on cloud. with the requirments below:



      • client have private key with fingerprint in SHA256 x.x.x.x.x and is
        enable ssh connection.

      • on the server is enable auditing system.

      • is enable watch rules for specify folder, example /home/oracle/

      for detect file modified, i follow the following steps, below an example:



      ausearch -f
      ------------
      20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770


      770 is the number of event, thanks it i can find the session number:



      ausearch -p | grep 770
      ----------------------
      type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
      success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
      ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
      fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
      comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
      s0:c0.c1023 key=modifica_fil


      session number is 58, thanks it i can find pid of login session



      ausearch -i | grep ses=58
      ---------------------------
      type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
      subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
      (none) old-ses=4294967295 ses=58 res=yes


      pid of login is 8646, i can look finger print key used from a specified user in var/log/secure



      cat secure | grep 8646
      ----------------------
      sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
      RSA SHA256:x.x.x.x.x





      share|improve this answer



























        2












        2








        2







        I explain my solution for detect activity change of users in a server on cloud. with the requirments below:



        • client have private key with fingerprint in SHA256 x.x.x.x.x and is
          enable ssh connection.

        • on the server is enable auditing system.

        • is enable watch rules for specify folder, example /home/oracle/

        for detect file modified, i follow the following steps, below an example:



        ausearch -f
        ------------
        20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770


        770 is the number of event, thanks it i can find the session number:



        ausearch -p | grep 770
        ----------------------
        type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
        success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
        ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
        fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
        comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
        s0:c0.c1023 key=modifica_fil


        session number is 58, thanks it i can find pid of login session



        ausearch -i | grep ses=58
        ---------------------------
        type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
        subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
        (none) old-ses=4294967295 ses=58 res=yes


        pid of login is 8646, i can look finger print key used from a specified user in var/log/secure



        cat secure | grep 8646
        ----------------------
        sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
        RSA SHA256:x.x.x.x.x





        share|improve this answer















        I explain my solution for detect activity change of users in a server on cloud. with the requirments below:



        • client have private key with fingerprint in SHA256 x.x.x.x.x and is
          enable ssh connection.

        • on the server is enable auditing system.

        • is enable watch rules for specify folder, example /home/oracle/

        for detect file modified, i follow the following steps, below an example:



        ausearch -f
        ------------
        20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770


        770 is the number of event, thanks it i can find the session number:



        ausearch -p | grep 770
        ----------------------
        type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
        success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
        ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
        fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
        comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
        s0:c0.c1023 key=modifica_fil


        session number is 58, thanks it i can find pid of login session



        ausearch -i | grep ses=58
        ---------------------------
        type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
        subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
        (none) old-ses=4294967295 ses=58 res=yes


        pid of login is 8646, i can look finger print key used from a specified user in var/log/secure



        cat secure | grep 8646
        ----------------------
        sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
        RSA SHA256:x.x.x.x.x






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Feb 21 at 11:16

























        answered Feb 20 at 16:04









        Francisco SourFrancisco Sour

        364




        364



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501790%2fhow-to-find-ssh-key-in-audit-log-file%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?