Tracking user ids when using SSH keys sharing

One of the main issues with granting remote access for multiple users with a shared authorized key, is accountability.

The following setup will allow you to track the source user ids, and the commands being executed:

1. In your source "master" server setup an iptables rule to log every SSH outgoing connection, including the user id information:

iptables -I OUTPUT -p tcp --dport 22 --syn -j LOG --log-prefix "new tcp connection: " --log-uid

2. In  your target server:

Create a wrapper script for syslog logging of remote command execution:

/usr/local/bin/log_incoming

#!/bin/sh

logger -- "SSH command from $SSH_CLIENT: $@"

$@

3. In your target shared user account, setup the authorized_keys to enforce the logging command.

~/.ssh/authorized_keys

command="/usr/local/bin/log_incoming $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-pty SSH_PUB_KEY

In your master server you will get:
Sep 27 15:49:59 hostname kernel: [ 4266.151830] new tcp connection: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9887 DF PROTO=TCP SPT=32858 DPT=22 WINDOW=43690 RES=0x00 SYN URGP=0 UID=1001 GID=1002

In your target server you will get:
Sep 27 15:49:59 hostname username: SSH command from 127.0.0.1 32858 22: ls