GNU Linux Debian 12 – how to enable logging of ssh login logins and logoff (should be enabled per default?)

03.Mar.2024

Administration / Server, Cyber, CyberSec / ITSec / Sicherheit / Security / SPAM, networking, ssh / rsync

per default Debian (unfortunately) does not log ssh logins (why? afraid of harddisk overflows?)

every user and admin wants to see “who and what is going on” the system
usefull also for debugging purposes: what if a ssh client is sometimes allowed and sometimes refused to login?
- why? what’s the issue?
sshd does not write it’s own logfile (the default logfile would be /var/log/auth.log) but relies on rsyslog to do the default but rsyslog is not installed on Debian per default

so let’s go:

hostnamectl; # tested on
Operating System: Debian GNU/Linux 12 (bookworm)  
          Kernel: Linux 6.1.0-18-amd64
    Architecture: x86-64

# DEFINATELY do some ssh hardening :) (as best as possible harden and secure)

su - root
apt install rsyslog

then configure:

vim /etc/ssh/sshd_config

# enable basic logging information
SyslogFacility AUTH

# basic logging
LogLevel INFO

# or VERY detailed logging
LogLevel DEBUG3

then:

service ssh restart

then:

# monitor only the auth.log
tail -f /var/log/auth.log

or use “live view of all logs” one-liner: https://dwaves.de/2017/06/15/gnu-linux-monitor-all-logs-in-real-time-d-follow-all-show-changes-to-log-files-under-var-log/

now test-ssh-login to this system and check what the log does 😀

sample output: of 
tail -f /var/log/auth.log

# login
2024-03-04T17:39:08.271714+01:00 hostname_of_ssh_server sshd[35883]: Accepted publickey for user from 192.ip.of.client port 57528 ssh2: ED25519 SHA256:xxxxxx
2024-03-04T17:39:08.272773+01:00 hostname_of_ssh_server sshd[35883]: pam_unix(sshd:session): session opened for user user(uid=1000) by (uid=0)
2024-03-04T17:39:08.279359+01:00 hostname_of_ssh_server systemd-logind[1084]: New session 34 of user user.
2024-03-04T17:39:08.318215+01:00 hostname_of_ssh_server sshd[35883]: pam_env(sshd:session): deprecated reading of user environment enabled

# logoff
2024-03-04T17:38:47.298498+01:00 hostname_of_ssh_server sshd[35840]: Received disconnect from 192.ip.of.client port 42328:11: disconnected by user
2024-03-04T17:38:47.299446+01:00 hostname_of_ssh_server sshd[35840]: Disconnected from user user 192.ip.of.client port 42328
2024-03-04T17:38:47.299774+01:00 hostname_of_ssh_server sshd[35833]: pam_unix(sshd:session): session closed for user user
2024-03-04T17:38:47.306328+01:00 hostname_of_ssh_server systemd-logind[1084]: Session 33 logged out. Waiting for processes to exit.
2024-03-04T17:38:47.308371+01:00 hostname_of_ssh_server systemd-logind[1084]: Removed session 33.

once upon a log file:

# what was encounted in
vim /var/log/auth.log
# gnome keyring logs there as well
2024-03-04T18:31:36.908206+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: starting password prompt for callback /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.767868+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: completed password prompt for callback :1.18@/org/gnome/keyring/Prompt/p1
2024-03-04T18:31:38.768150+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: encrypting data
2024-03-04T18:31:38.768313+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: sending the secret exchange: [sx-aes-1]\npublic=xxxx/xxxxx\nsecret=xxxxxxxx==\niv=xxxxx+gEBg==\n
2024-03-04T18:31:38.768451+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: calling the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788017+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: returned from the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788188+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: received PerformPrompt call from callback /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788283+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788378+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: closing the prompt 
2024-03-04T18:31:38.788473+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788565+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788660+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788751+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788840+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.788925+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.18
2024-03-04T18:31:38.790956+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: calling the PromptDone method on /org/gnome/keyring/Prompt/p1@:1.18, and ignoring reply
2024-03-04T18:31:48.570587+01:00 hostname_of_ssh_server gcr-prompter[22640]: Gcr: 10 second inactivity timeou

# this file
dpkg -S /usr/libexec/gcr-prompter

# belongs to the package

apt show gcr
Package: gcr
Version: 3.41.1-1+b1
Priority: optional
Section: gnome
Source: gcr (3.41.1-1)
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers ÄT lists DOOOOT alioth DooOT debian doOT org>
Installed-Size: 1,644 kB
Depends: default-dbus-session-bus | dbus-session-bus, libgcr-base-3-1 (= 3.41.1-1+b1), libgcr-ui-3-1 (= 3.41.1-1+b1), dconf-gsettings-backend | gsettings-backend, init-system-helpers (>= 1.52), libc6 (>= 2.34), libgck-1-0 (>= 3.3.90), libglib2.0-0 (>= 2.44.0), libgtk-3-0 (>= 3.22.0), libsecret-1-0 (>= 0.20), libsystemd0
Homepage: https://wiki.gnome.org/Projects/GnomeKeyring
Tag: uitoolkit::gtk
Download-Size: 272 kB
APT-Manual-Installed: no
APT-Sources: https://ftp.halifax.rwth-aachen.de/debian bookworm/main amd64 Packages
Description: GNOME crypto services (daemon and tools)
 GCR is a library for crypto UI and related tasks.

 This package contains the certificate viewer and prompter service.

dpkg -l|grep gcr
ii  gcr                                            3.41.1-1+b1                            amd64        GNOME crypto services (daemon and tools)

afterThought:

it is a wee bit strange, a lot of stuff is written to log files, often too much like:

==> /var/log/syslog <==

2024-03-04T17:33:03.463570+01:00 hostname_of_server NetworkManager[1113] <warn> [1709569983.4627] platform-linux: do-add-ip6-address[3] fe80::b0f4:2e3e:d41d:36ce]: failure 95 (Operation not supported)

<- NetworkManager just can’t accept that IPv6 was disabled?

# tell NetworkManager ipv6 is disabled for this nic (creditz)
nmcli d modify name_of_interface ipv6.method "disabled"
Connection successfully reapplied to device 'name_of_interface'.

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin