Is it possible to get the incoming IP address of an SSH connection before the connection is authorized?
We're using an AuthorizedKeysCommand bash script that is working as intended, but I would like to be able to at least log attempts including the incoming IP address. I've been unable to find anything that would even vaguely hint that it's available. Environment variables like $SSH_CLIENT
and $SSH_CONNECTION
are empty in the script, and there are no tokens available in the sshd config that contain IP.
The authorized keys script is pretty simple.
#!/bin/bash
curl -sf -X GET "http://10.x.x.x/gatekeeper/$1/$IP_WOULD_GO_HERE"
CodePudding user response:
It looks like you've mostly answered the question yourself: that value isn't available as a token nor as an environment variable. Your remaining option is to log the connection somewhere outside of sshd itself:
If you have systemd listen for connections on port 22 instead of sshd...
systemctl disable --now ssh systemctl enable --now ssh.socket
...then you'll see all connections logged in your journal like this:
Apr 14 17:43:41 node1 systemd[1]: Started OpenSSH per-connection server daemon (192.168.121.19:45516).
Alternately, you could add a firewall rule to log connections on port 22:
iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix 'SSH '
Which will get you log messages like this:
Apr 14 17:46:33 node1 kernel: SSH IN=eth0 OUT= MAC=52:54:00:e9:91:6f:52:54:00:4f:05:26:08:00 SRC=192.168.121.19 DST=192.168.121.35 LEN=60 TOS=0x08 PREC=0x40 TTL=64 ID=40136 DF PROTO=TCP SPT=45518 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0